# Aguara — Security Scanner for AI Agent Skills & MCP Servers

> Open-source static security scanner for AI agent skills and MCP servers. 148+ detection rules across 13 categories. 5 analysis engines: pattern matching, NLP, taint tracking, rug-pull detection, and decoding. Auto-discovers 17 MCP clients. Single Go binary, 100% local, zero dependencies. SARIF output for CI/CD. Apache-2.0 licensed.

## Product Overview

Aguara detects security issues in AI agent skills and MCP server configurations using static analysis. It scans skill files (SKILL.md, tool schemas) and server configuration files for prompt injection, credential exfiltration, supply chain attacks, data exfiltration, command execution, and 8 more threat categories.

Key properties:
- 100% local execution — no API keys, no cloud, no LLM
- Single Go binary with zero external dependencies
- Deterministic results — same input, same output, every time
- Auto-discovers 17 MCP clients (Claude Desktop, Cursor, Windsurf, VS Code, and more)
- Extensible with custom YAML rules
- SARIF output for GitHub Code Scanning and GitLab SAST

## Installation

```
go install github.com/aguarascan/aguara@latest
```

Or via curl:
```
curl -fsSL https://raw.githubusercontent.com/garagon/aguara/main/install.sh | bash
```

## Features

### Security Scanner
148+ built-in YAML rules with 5 analysis engines:
1. Pattern matching — regex-based detection of known malicious patterns
2. NLP analysis — Goldmark AST parsing catches obfuscated attacks (heading-body divergence, authority claims, hidden instructions)
3. Taint tracking — source-to-sink flow analysis for data exfiltration paths
4. Rug-pull detection — hash-based change tracking across scans to detect when previously safe skills introduce malicious content
5. Decoding — base64, hex, and other encoding detection

### MCP Client Auto-Discovery
`aguara scan --auto` discovers and scans configurations from 17 MCP clients including Claude Desktop, Cursor, Windsurf, VS Code, and more.

### Aguara Watch Observatory
Continuous crawling and scanning of 40,000+ skills across 7 public registries (skills.sh, ClawHub, PulseMCP, mcp.so, LobeHub, Smithery, Glama). Incremental scans 4x daily. A-F grades for every skill. Open data via JSON API and CSV downloads. Live at https://watch.aguarascan.com.

### MCP Server (Aguara Advisor)
Native MCP tool that gives AI agents direct access to security scanning. Install once, scan from any MCP-compatible agent.

Tools exposed:
- `scan_content` — Scan skill files or MCP server configs for security issues
- `check_mcp_config` — Audit MCP client configuration for insecure settings
- `list_rules` — Browse all 148+ detection rules by category or severity
- `explain_rule` — Get detailed explanation of any detection rule

Installation:
```
go install github.com/garagon/aguara-mcp@latest
claude mcp add aguara -- aguara-mcp
```

### CI/CD Integration
GitHub Actions and GitLab CI support. SARIF output for code scanning alerts. `--ci` and `--changed` flags for fast incremental scans. `--fail-on high` to gate deployments.

### Go Library API
Public Go library with `Scan()`, `ListRules()`, `Discover()`. Functional options for severity, workers, and custom rules.

## Detection Categories (13 total, 148+ rules)

1. Credential Leak — 19 rules — API keys (OpenAI, AWS, GCP, Stripe, Anthropic), private keys, DB strings, credential logging
2. Prompt Injection — 17 + NLP — Instruction overrides, role switching, delimiter injection, jailbreaks, obfuscation, agent spawning
3. External Download — 17 rules — Binary downloads, curl-pipe-shell, unpinned npm/pip/go/cargo installs, Docker pull
4. Data Exfiltration — 16 + NLP — Webhooks, DNS tunneling, env var leaks, sensitive file reads, clipboard, screenshot
5. Command Execution — 16 rules — shell=True, eval, subprocess, child_process, PowerShell, hex/octal obfuscation
6. Supply Chain — 15 rules — Suspicious install scripts, obfuscated shell, reverse shells, privilege escalation, container bind mounts
7. MCP Attack — 12 rules — Tool injection, name shadowing, manifest tampering, capability escalation, prototype pollution
8. SSRF & Cloud — 10 rules — Metadata endpoints, IMDS, Docker socket, K8s service discovery, DNS rebinding, IPv6 encoding
9. MCP Config — 8 rules — Unpinned npx servers, hardcoded secrets, shell metacharacters, Docker privileges
10. Unicode Attack — 7 rules — RTL override, bidi characters, homoglyphs, tag characters, Punycode
11. Indirect Injection — 6 rules — Fetch-and-follow, remote config loading, unscoped bash tools
12. Third-Party Content — 5 rules — Mutable content, unvalidated responses, remote templates, unescaped user input
13. Toxic Flow — 3 rules — Source-to-sink taint: private data to public output, credential theft, destructive ops

## Frequently Asked Questions

### What is Aguara?
Aguara is an open-source static security scanner for AI agent skills and MCP servers. It analyzes skill files and tool schemas for security threats using 148+ detection rules across 13 categories. Single Go binary, 100% local, zero dependencies, Apache-2.0 licensed.

### How do I install Aguara?
Install via Go: `go install github.com/aguarascan/aguara@latest`. Or via curl: `curl -fsSL https://raw.githubusercontent.com/garagon/aguara/main/install.sh | bash`. Single binary, no dependencies.

### What MCP clients does Aguara auto-discover?
Aguara auto-discovers configurations from 17 MCP clients including Claude Desktop, Cursor, Windsurf, VS Code, Zed, and more. Run `aguara scan --auto` to scan all discovered configurations at once.

### What threats does Aguara detect?
Aguara detects 13 categories of threats: credential leaks, prompt injection, external downloads, data exfiltration, command execution, supply chain attacks, MCP-specific attacks, SSRF/cloud attacks, MCP config issues, unicode attacks, indirect injection, third-party content risks, and toxic data flows.

### What is Aguara Watch?
Aguara Watch is a continuous threat monitoring observatory that crawls and scans 40,000+ skills across 7 public registries (skills.sh, ClawHub, PulseMCP, mcp.so, LobeHub, Smithery, Glama) with incremental scans 4x daily. Every skill gets an A-F security grade. Open data via JSON API and CSV. Live at https://watch.aguarascan.com.

### How do I integrate Aguara in CI/CD?
Use `aguara scan --ci` for GitHub Actions or `aguara scan --format sarif` for SARIF output compatible with GitHub Code Scanning and GitLab SAST. Use `--fail-on high` to gate deployments on severity thresholds. Use `--changed` for fast incremental scans.

### What is the Aguara MCP Server?
The Aguara MCP Server (Aguara Advisor) is a native MCP tool that exposes security scanning as a tool for AI agents. Install with `go install github.com/garagon/aguara-mcp@latest` and add to your MCP client. Provides scan_content, check_mcp_config, list_rules, and explain_rule tools.

### How does Aguara relate to Oktsec?
Aguara is the static analysis engine (Layer 1) that powers Oktsec's detection capabilities. Oktsec extends Aguara with runtime enforcement via the MCP Gateway (Layer 3), cryptographic agent identity, and deployment audits. Aguara Watch provides threat intelligence that feeds into both products. They are complementary: Aguara scans before deployment, Oktsec enforces during execution.

## Blog Posts

- [Aguara v0.4.0, MCP v0.3.0 & Watch Expansion — Coordinated Release](https://aguarascan.com/blog/v0-4-0-coordinated-release/) — Coordinated release: 153 detection rules (+5), file/memory hardening, official MCP SDK v1.4.0 migration across the stack, Aguara Watch crosses 42,969 skills across 7 registries. Zero community forks.
- [Securing Your OpenClaw Setup: 7 Checks + Automated Scanning](https://aguarascan.com/blog/securing-openclaw-setup/) — OpenClaw has 239K+ stars and the team ships fast security fixes. But the ClawHub skill ecosystem is your responsibility. 7 practical checks plus step-by-step Aguara integration for scanning skills, configs, and CI/CD pipelines.
- [Kali Linux + Claude Desktop: When Offensive Security Meets MCP](https://aguarascan.com/blog/kali-claude-desktop-mcp-security/) — Kali Linux officially integrates Claude Desktop via MCP to control nmap, metasploit, and hydra through natural language. If legitimate MCP servers give agents access to pentesting tools, imagine what a malicious one can do.
- [NIST Asks How to Secure AI Agents. We Already Have Answers.](https://aguarascan.com/blog/nist-ai-agent-identity-authorization/) — NIST's NCCoE published a concept paper on AI agent identity and authorization. Their 6 open questions map directly to what Aguara and the MCP ecosystem are building today.
- [The Security Flywheel: How Scanner, Observatory, and MCP Server Compound](https://aguarascan.com/blog/the-security-flywheel/) — How a single security scanner became a full feedback loop: observatory crawling 42,655 skills, 4 rounds of FP reduction, and an MCP server that gives agents access to the entire cycle.
- [Docker Sandboxes Are Not Enough](https://aguarascan.com/blog/docker-sandboxes-are-not-enough/) — Docker sandboxes isolate AI agents at runtime. But a sandboxed agent running malicious skills is still a compromised agent. Why you need static analysis before you hit docker sandbox run.
- [Your AI Agent Config is a Security Liability](https://aguarascan.com/blog/ai-agent-config-security-liability/) — MCP configuration files are the most dangerous files on developer machines. Hardcoded secrets, npx -y without version pins, Docker with --privileged, shell metacharacters in args.
- [OWASP Agentic Top 10 Mapped to Aguara Detection Rules](https://aguarascan.com/blog/owasp-agentic-top-10-mapped-to-detection-rules/) — Every risk in the OWASP Top 10 for Agentic Applications mapped to specific Aguara detection rules. 197 rules across 12 categories covering all 10 OWASP risks.
- [MCP Tool Poisoning: Beyond Descriptions](https://aguarascan.com/blog/mcp-tool-poisoning-beyond-descriptions/) — MCP tool poisoning goes far beyond injecting malicious instructions in tool descriptions. Every field the LLM processes is an injection point. Full technical breakdown with detection strategies.
- [From SKILL.md to Shell: A Security Audit Guide](https://aguarascan.com/blog/skill-md-security-audit-guide/) — A practical, step-by-step guide for auditing AI agent skill files for security threats. Covers prompt injection, credential exfiltration, hidden content, command execution, and automated scanning.
- [npx -y Considered Harmful: Supply Chain Risks in MCP Server Configurations](https://aguarascan.com/blog/npx-y-considered-harmful/) — npx -y is the default way MCP servers are installed. It auto-downloads and executes code without checksum verification, version pinning, or user review.
- [We Scanned 28,000 AI Agent Skills for Security Threats](https://aguarascan.com/blog/we-scanned-28000-ai-agent-skills/) — We scanned 31,000+ AI agent skills across 5 registries with 148 detection rules. 485 critical-severity findings across 13 threat categories.
- [How I Built a Semgrep-Like Scanner for AI Agent Skills](https://aguarascan.com/blog/how-i-built-semgrep-for-ai-agents/) — Deep dive into building Aguara, an open-source static security scanner for AI agent skills and MCP servers. 148 rules, 3 detection layers, zero dependencies.

## Related Products

- [Oktsec](https://oktsec.com/) — Security layer for AI agent-to-agent communication. MCP Gateway, cryptographic identity, and runtime policy enforcement. Powered by the Aguara detection engine.
- [Oktsec LLM Context](https://oktsec.com/llms.txt) — Full product context for Oktsec.

## Links

- Website: https://aguarascan.com
- GitHub (Scanner): https://github.com/garagon/aguara
- GitHub (MCP Server): https://github.com/garagon/aguara-mcp
- Aguara Watch: https://watch.aguarascan.com
- Blog: https://aguarascan.com/blog/
- Founder: Gustavo Aragon (https://github.com/garagon)
- License: Apache-2.0