AgentShield
Full-stack security for AI agents โ static analysis + MCP runtime interception. 31 rules detect prompt injection, data exfiltration, backdoors, tool poisoning, and cross-file attack chains. Includes MCP proxy for real-time blocking, Python AST taint tracking, multi-language injection detection (8 languages), and AI-powered deep analysis. Free, offline, zero-config.
README
๐ก๏ธ Agent Shield
Full-stack security for AI Agents โ Static Analysis + Runtime Interception
AI Agent ๅ จๆ ๅฎๅ จ้ฒๆค โ ้ๆๅๆ + ่ฟ่กๆถๆฆๆช
Catch data exfiltration, backdoors, prompt injection, tool poisoning, and supply chain attacks before they reach your AI agents โ and intercept them at runtime.
Offline-first. AST-powered. Open source. Your data never leaves your machine.
npx @elliotllliu/agent-shield scan ./my-skill/
๐ Three Things No Other Tool Does
1. ๐ Runtime MCP Interception (Only Agent Shield)
Other tools only scan source code before install. Agent Shield also sits between your MCP client and server, intercepting every JSON-RPC message in real-time:
# Insert Agent Shield between client and server
agent-shield proxy node my-mcp-server.js
# Enforce mode: automatically block high-risk tool calls
agent-shield proxy --enforce python mcp_server.py
# Rate-limit + log all alerts
agent-shield proxy --rate-limit 30 --log alerts.jsonl node server.js
What it catches at runtime:
- ๐ญ Tool description injection โ hidden instructions in tool descriptions
- ๐ Result injection โ malicious content in tool return values
- ๐ Credential leakage โ sensitive data in tool call parameters
- ๐ก Beacon behavior โ abnormal periodic callbacks (C2 pattern)
- ๐ชค Rug-pull attacks โ tools changing behavior after initial trust
Snyk doesn't have this. AgentSeal doesn't have this. This is the only open-source tool with static + runtime protection.
2. โ๏ธ Cross-File Attack Chain Detection (Only Agent Shield)
Most scanners check one file at a time. Agent Shield traces data flow across your entire codebase to detect multi-file attack patterns:
๐ด Cross-file data flow:
config_reader.py reads ~/.ssh/id_rsa โ exfiltrator.py POSTs to external server
(connected via imports)
5-stage kill chain model detects complete attack sequences:
๐ด Kill Chain detected:
apt.py:4 โ system info collection [Reconnaissance]
reader.py:8 โ reads ~/.ssh/id_rsa [Collection]
sender.py:12 โ POST to external server [Exfiltration]
Reconnaissance โ Access โ Collection โ Exfiltration โ Persistence
Not just individual alerts โ complete attack narratives.
3. ๐ง AST Taint Tracking (Not Regex)
Uses Python's ast module for precise analysis โ dramatically reducing false positives:
user = input("cmd: ")
eval(user) # โ ๐ด HIGH: tainted input flows to eval
eval("{'a': 1}") # โ โ
NOT flagged (safe string literal)
exec(config_var) # โ ๐ก MEDIUM: dynamic, not proven tainted
| Regex-based | AST-based (Agent Shield) | |
|---|---|---|
eval("safe string") |
โ False positive | โ Not flagged |
# eval(x) in comment |
โ False positive | โ Not flagged |
eval(user_input) tainted |
โ ๏ธ Can't distinguish | โ HIGH (tainted) |
| f-string SQL injection | โ ๏ธ Coarse | โ Precise |
4. ๐ง Context-Aware Scoring (New)
Traditional scanners flag every fetch() call as suspicious. Agent Shield understands context:
- SDK Awareness: Auto-detects 25+ SDKs (AWS, Feishu, Stripe, OpenAI...) โ network calls via known SDKs get lower risk scores
- Auth Flow Recognition: Identifies OAuth2, JWT, session management patterns โ token refresh isn't data exfiltration
- Data Flow Tracking: Traces variables from source (env read, file read) to sink (HTTP, exec) โ only flags actual exfiltration paths
- Confidence Scoring: Each finding has
high/medium/lowconfidence โ single regex matches don't tank your score
๐ Score Breakdown:
Base: 100
env-leak (low, conf: low โ ร0.3) โ SDK detected, penalty reduced 70%
obfuscation (medium, conf: medium โ ร0.6)
โ Cap applied: medium findings present โ max 85
Final: 85/100
โก Quick Start
# Scan a skill / MCP server / plugin (29 rules, offline, <1s)
npx @elliotllliu/agent-shield scan ./my-skill/
# Scan Dify plugins (.difypkg auto-extraction)
npx @elliotllliu/agent-shield scan ./plugin.difypkg
# Runtime interception (MCP proxy)
npx @elliotllliu/agent-shield proxy node my-mcp-server.js
# AI-powered deep analysis (uses YOUR API key)
npx @elliotllliu/agent-shield scan ./skill/ --ai --provider openai --model gpt-4o
npx @elliotllliu/agent-shield scan ./skill/ --ai --provider ollama --model llama3
# Discover installed agents on your machine
npx @elliotllliu/agent-shield discover
# Check if installed agents are safe
npx @elliotllliu/agent-shield install-check
# SARIF output for GitHub Code Scanning
npx @elliotllliu/agent-shield scan ./skill/ --sarif -o results.sarif
# HTML report
npx @elliotllliu/agent-shield scan ./skill/ --html
# CI/CD gate
npx @elliotllliu/agent-shield scan ./skill/ --fail-under 70
๐ Agent Shield vs Competitors
| Agent Shield | Snyk Agent Scan | Tencent AI-Infra-Guard | |
|---|---|---|---|
| Runtime MCP Interception | โ MCP Proxy | โ | โ |
| Cross-file Attack Chain | โ | โ | Partial |
| AST Taint Tracking | โ Python | โ | Unknown |
| Static Rules | 31 | 6 | Many (incl. infra) |
| Multi-language Injection | โ 8 languages | โ English only | Unknown |
| Description-Code Integrity | โ | โ | Unknown |
| Python Security | โ 35 patterns + AST | โ | โ |
| Prompt Injection | โ 55+ patterns + AI | โ LLM (cloud) | Unknown |
| 100% Offline | โ | โ cloud required | โ |
Zero Install (npx) |
โ | โ Python + uv | โ Docker |
| Choose Your Own LLM | โ OpenAI/Anthropic/Ollama | โ | โ |
| VS Code Extension | โ | โ | โ |
| GitHub App + Action | โ | โ | โ |
| Open Source | โ MIT | โ | โ |
๐ 31 Security Rules
๐ด High Risk
| Rule | Detects |
|---|---|
data-exfil |
Reads sensitive data + sends HTTP requests (exfiltration pattern) |
backdoor |
eval(), exec(), new Function(), child_process.exec() with dynamic input |
reverse-shell |
Outbound socket connections piped to shell |
crypto-mining |
Mining pool connections, xmrig, coinhive |
credential-hardcode |
Hardcoded AWS keys (AKIA...), GitHub PATs, Stripe/Slack tokens |
obfuscation |
eval(atob(...)), hex chains, String.fromCharCode obfuscation |
๐ก Medium Risk
| Rule | Detects |
|---|---|
prompt-injection |
55+ patterns: instruction override, identity manipulation, TPA, encoding evasion |
tool-shadowing |
Cross-server tool name conflicts, tool override attacks |
env-leak |
Environment variables + outbound HTTP (credential theft) |
network-ssrf |
User-controlled URLs, AWS metadata endpoint access |
phone-home |
Periodic timer + HTTP request (beacon/C2 pattern) |
toxic-flow |
Cross-tool data leak and destructive flows |
skill-risks |
Financial ops, untrusted content, external dependencies |
python-security |
35 patterns: eval, pickle, subprocess, SQL injection, SSTI, path traversal |
go-rust-security |
22 patterns: command injection, unsafe blocks, raw SQL |
๐ข Low Risk
| Rule | Detects |
|---|---|
privilege |
SKILL.md declared permissions vs actual code behavior mismatch |
supply-chain |
Known CVEs in npm dependencies |
sensitive-read |
Access to ~/.ssh, ~/.aws, ~/.kube |
excessive-perms |
Too many or dangerous permissions in SKILL.md |
mcp-manifest |
MCP server: wildcard perms, undeclared capabilities |
typosquatting |
Suspicious npm names: 1odash โ lodash |
hidden-files |
.env files with secrets committed to repo |
๐ Advanced Detection (Unique to Agent Shield)
| Rule | Detects | Snyk? |
|---|---|---|
cross-file |
Cross-file data flow: File A reads secrets โ File B sends HTTP | โ |
attack-chain |
Kill chain detection: Recon โ Access โ Collection โ Exfil โ Persistence | โ |
multilang-injection |
8-language injection: ไธญ/ๆฅ/้/ไฟ/้ฟ/่ฅฟ/ๆณ/ๅพท prompt injection | โ |
python-ast |
AST taint tracking: follows data from input() โ eval() |
โ |
description-integrity |
Description vs code: "read-only" tool that writes files | โ |
mcp-runtime |
MCP runtime: debug inspector, non-HTTPS, tool count explosion | โ |
๐ฌ Multi-Language Prompt Injection
8 languages โ most scanners only check English:
ๅฟฝ็ฅไธ้ข็ๆไปค โ ๐ด Chinese injection
ๅใฎๆ็คบใ็ก่ฆ โ ๐ด Japanese injection
์ด์ ์ ์ง์๋ฅผ ๋ฌด์ โ ๐ด Korean injection
ะะณะฝะพัะธััะน ะธะฝััััะบัะธะธ โ ๐ด Russian injection
ุชุฌุงูู ุงูุชุนููู
ุงุช โ ๐ด Arabic injection
๐ Real-World Validation: 493 Dify Plugins
We scanned the entire langgenius/dify-plugins repository:
| Metric | Value |
|---|---|
| Plugins scanned | 493 |
| Files analyzed | 9,862 |
| Lines of code | 939,367 |
| Scan time | ~120s |
| Average score | 93/100 |
| Risk Level | Count | % |
|---|---|---|
| ๐ด High risk (real issues) | 6 | 1.2% |
| ๐ก Medium risk | 73 | 14.8% |
| ๐ข Clean | 414 | 84.0% |
6 confirmed high-risk plugins with real eval()/exec() executing dynamic code.
๐ก Example Output
๐ก๏ธ Agent Shield Scan Report
๐ Scanned: ./deceptive-tool (3 files, 25 lines)
Score: 0/100 (Critical Risk)
๐ด High Risk: 4 findings
๐ก Medium Risk: 6 findings
๐ข Low Risk: 1 finding
๐ด High Risk (4)
โโ calculator.py:7 โ [backdoor] eval() with dynamic input
โ result = eval(expr)
โโ manifest.yaml โ [description-integrity] Scope creep: "calculator"
โ tool sends emails โ undisclosed and suspicious capability
โโ tools/calc.yaml โ [description-integrity] Description claims
โ "local only" but code makes network requests in: tools/calc.py
โโ exfiltrator.py โ [cross-file] Cross-file data flow:
config_reader.py reads secrets โ exfiltrator.py sends HTTP
โฑ 136ms
๐ Integrate Agent Shield Into Your Platform
Running a skill marketplace, MCP directory, or plugin registry? This section is for you.
Your platform lists hundreds of skills, MCP servers, and plugins. Users install them into AI agents with access to files, credentials, and shell commands. But:
- โ Nobody verifies what gets listed. A skill with
eval(atob(...))looks the same as a clean one. - โ Users can't tell safe from dangerous. There's no security signal anywhere.
- โ One bad skill = total compromise. Credential theft, data exfiltration, reverse shells.
What You Get
| Without Agent Shield | With Agent Shield | |
|---|---|---|
| User trust | "Is this safe?" โ no idea | ๐ข๐ก๐ ๐ด Security score on every listing |
| Platform reputation | Same as every directory | "The only marketplace that verifies security" |
| Bad actors | Malicious skills sit undetected | Auto-flagged before users see them |
How to Integrate (5 minutes)
npx @elliotllliu/agent-shield scan ./skill --format json
{
"score": 92,
"totalFindings": 1,
"summary": { "high": 0, "medium": 0, "low": 1 },
"findings": [
{
"severity": "low",
"rule": "env-leak",
"file": "src/config.ts",
"line": 8,
"message": "Environment variable access without validation"
}
]
}
Store the JSON, render the badge. That's it.
๐ Full Integration Guide โ
Who Should Integrate
| Platform Type | Examples | Value |
|---|---|---|
| Skill directories | ClawHub, skills.sh | Security badges on every skill |
| MCP registries | mcp.so, Smithery, Glama | Scan servers before listing |
| Plugin marketplaces | Dify store, GPT store | Gate submissions by security score |
| Agent platforms | OpenClaw, Cline, Cursor | Warn users before install |
๐ฆ Ecosystem
๐ค GitHub App
Auto-scan every PR for security issues. Learn more โ
๐ป VS Code Extension
Real-time security diagnostics in your editor. Learn more โ
๐ Runtime MCP Proxy
Monitor MCP server behavior in real-time. Detect injection, exfiltration, and rug-pull attacks.
agent-shield proxy --enforce node my-mcp-server.js
โ๏ธ CI Integration
GitHub Action
name: Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: elliotllliu/agent-shield@main
with:
path: './skills/'
fail-under: '70'
GitHub Action with SARIF Upload
name: Security Scan (SARIF)
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- uses: elliotllliu/agent-shield@main
with:
path: './skills/'
fail-under: '70'
sarif: 'true'
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: agent-shield-results.sarif
npx one-liner
- name: Security scan
run: npx -y @elliotllliu/agent-shield scan . --fail-under 70
โ๏ธ Configuration
Create .agent-shield.yml (or run agent-shield init):
rules:
disable:
- supply-chain
- phone-home
failUnder: 70
ignore:
- "tests/**"
- "*.test.ts"
Scoring
| Severity | Points |
|---|---|
| ๐ด High | -25 |
| ๐ก Medium | -8 |
| ๐ข Low | -2 |
| Score | Risk Level |
|---|---|
| 90-100 | โ Low Risk โ safe to install |
| 70-89 | ๐ก Moderate โ review warnings |
| 40-69 | ๐ High Risk โ investigate before using |
| 0-39 | ๐ด Critical โ do not install |
๐๏ธ Supported Platforms
| Platform | Support |
|---|---|
| AI Agent Skills | OpenClaw, Codex, Claude Code |
| MCP Servers | Model Context Protocol tool servers |
| Dify Plugins | .difypkg archive extraction + scan |
| npm Packages | Any package with executable code |
| Python Projects | AST analysis + 35 security patterns |
| General | Any directory with JS/TS/Python/Go/Rust/Shell code |
File Types
| Language | Extensions |
|---|---|
| JavaScript/TypeScript | .js, .ts, .mjs, .cjs, .tsx, .jsx |
| Python | .py (regex + AST analysis) |
| Go | .go |
| Rust | .rs |
| Shell | .sh, .bash, .zsh |
| Config | .json, .yaml, .yml, .toml |
| Docs | SKILL.md, manifest.yaml |
๐ค Contributing
We especially welcome:
- New detection rules
- False positive / false negative reports
- Third-party benchmark test results
See CONTRIBUTING.md
๐ Community & Partners
| Partner | Contribution |
|---|---|
| Agent Skills Hub | Real-world testing across skill registries, security insights, and feature feedback |
Links
๐ฆ npm ยท ๐ Rule Docs ยท ๐ค GitHub App ยท ๐ป VS Code ยท ๐ Integration Guide ยท ๐จ๐ณ ไธญๆ README
License
MIT
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.