Static analysis. 177 rules. 13 categories. No API keys, no cloud, no LLM. One binary. Deterministic results. Confidence scoring. Remediation guidance. Auto-discovers 17 MCP clients. Rug-pull detection. Runs in your CI and inside your agent.
Aguara detects security issues in AI agent skills and MCP server configurations using static analysis. Auto-discovers 17 MCP clients. 4-layer analysis engine: pattern matching, NLP, taint tracking, and rug-pull detection. No network calls. No dependencies. Just rules and code.
Single Go binary. No API keys, no cloud, no LLM. Your code never leaves your machine. Install via brew install, docker run, curl | bash, or go install.
Auto-discovers 17 MCP clients (Claude, Cursor, Windsurf, VS Code, and more). aguara scan --auto scans all configs at once.
Goldmark AST parsing catches obfuscated attacks that regex-only tools miss. Heading-body divergence, authority claims, hidden instructions.
Source-to-sink flow analysis detects data exfiltration paths across skill instructions and tool definitions. Private data to public output, credential theft, destructive ops.
Hash-based change tracking across scans. --monitor detects when a previously safe skill introduces malicious content.
6 decoders (base64, hex, URL encoding, Unicode escapes, HTML entities, hex escapes) catch obfuscated payloads that bypass text-based rules.
Detects dangerous capability combinations across files in the same MCP server. One tool reads credentials, another sends to a webhook — Aguara catches the toxic flow.
0-100 risk score with diminishing returns. Multiple correlated findings produce a higher score than any single finding alone. In JSON, SARIF, and terminal output.
177 built-in rules. Extensible with custom YAML. Override severity, disable rules, add exclude patterns for FP reduction.
Official GitHub Action (garagon/aguara@v1), Docker, and GitLab CI. SARIF for code scanning. --ci, --changed, --fail-on flags.
Public Go library with Scan(), ScanContent(), Discover(), ExplainRule(). New in v0.10: WithStateDir() for rug-pull detection, WithDeduplicateMode(), and RiskScore on results.
Same input, same output. Every time. No probabilistic scoring, no LLM variance. Reproducible results you can trust in CI.
One command to scan your skills directory. Findings are ranked by severity with file locations and rule references.
From prompt injection to supply chain attacks. 177 YAML rules plus dynamic NLP, toxic flow, and rug-pull analyzers. Each rule includes test cases and supports exclude patterns for FP reduction.
| Category | Rules | Coverage |
|---|---|---|
| Credential Leak | 22 | API keys (OpenAI, AWS, GCP, Stripe, Anthropic), private keys, DB strings, HMAC secrets |
| Prompt Injection | 18 + NLP | Instruction overrides, role switching, delimiter injection, jailbreaks, event injection |
| Supply Chain | 21 | Download-and-execute, reverse shells, sandbox escape, symlink attacks, privilege escalation |
| External Download | 16 | Binary downloads, curl-pipe-shell, auto-installs, profile persistence |
| MCP Attack | 16 | Tool injection, name shadowing, canonicalization bypass, capability escalation |
| Data Exfiltration | 16 + NLP | Webhook exfil, DNS tunneling, sensitive file reads, env var leaks |
| Command Execution | 16 | shell=True, eval, subprocess, child_process, PowerShell |
| MCP Config | 11 | Unpinned npx servers, hardcoded secrets, Docker cap-add, host networking |
| Indirect Injection | 10 | Fetch-and-follow, remote config, DB-driven instructions, webhook registration |
| SSRF & Cloud | 11 | Cloud metadata, IMDS, Docker socket, internal IPs, redirect following |
| Third-Party Content | 10 | eval with external data, unsafe deserialization, missing SRI, HTTP downgrade |
| Unicode Attack | 10 | RTL override, bidi, homoglyphs, zero-width sequences, normalization bypass |
| Toxic Flow | 3 + cross-file | Source-to-sink taint: private data → public output, credential theft, destructive ops. Cross-file analysis detects split capabilities across MCP server tools. |
The first public dashboard that unifies and scans the 6 largest skill registries with incremental crawls every 6 hours. A–F grades for every skill. Open data via JSON API and CSV downloads. Updated continuously.
New: Scan any GitHub repo, file, or paste directly in your browser — powered by Aguara compiled to WebAssembly. No install, no sign-up, 100% client-side.
The first MCP server that exposes a security scanner as a native tool for AI agents. Install once, scan from any agent that supports MCP.
Aguara is now a GitHub Action on the Marketplace. One line in your workflow — SARIF results in GitHub Code Scanning.
# .github/workflows/security.yml - uses: garagon/aguara@v1 with: path: .claude/skills/ sarif: true
Results appear directly in GitHub Code Scanning. No install script, no API keys.
# .gitlab-ci.yml security-scan: script: - REPO=garagon/aguara - curl -fsSL https://raw.githubusercontent.com/$REPO/main/install.sh | bash - aguara scan .claude/skills/ --format sarif -o gl-sast-report.sarif --fail-on high
Apache-2.0 License. Built in Go. Ready for your pipeline and your agent.