Is the scanner free to use?

Yes, the scanner is 100% free and open source under the Apache-2.0 license. It runs entirely in your browser via WebAssembly — no account needed, no data uploaded.

Can I scan private GitHub repositories?

Yes, you can scan private repositories by connecting a GitHub Personal Access Token (PAT) with read-only Contents permission. The token stays in your browser session and is never sent to any server.

How many skills does Aguara Watch monitor?

Aguara Watch continuously monitors over 58,000 AI agent skills and MCP servers across 7 public registries including Skills.sh, ClawHub, PulseMCP, mcp.so, LobeHub, Smithery, and Glama.

Scan Any AI Agent Security Vulnerabilities

The same engine monitoring 58,000+ skills and MCP servers daily.

Runs locally in your browser via WebAssembly. Nothing is uploaded.

GitHub repository, file, or directory URL

Supports repositories, directories, single files, and raw.githubusercontent.com URLs

100% client-side via WASM · Open source — Apache-2.0 · Nothing is uploaded

Works on Chrome Firefox Safari Edge

58K+

Skills & MCP servers scanned

Registries monitored daily

188+

Detection rules

Security categories

What the scanner detects

Every scan checks for vulnerabilities across 15 security categories

Prompt Injection Credential Leaks Command Execution Data Exfiltration Indirect Injection MCP Attacks MCP Config SSRF / Cloud Supply Chain Third-Party Content Toxic Flow External Downloads

How it works

Three steps to find security vulnerabilities in any AI agent skill, MCP server, or configuration file.

Step 1

Provide a source

Enter a GitHub URL, paste content directly, or drag and drop a file. Supports repositories, directories, and individual files.

Step 2

Scan locally in your browser

Aguara runs entirely in your browser via WebAssembly. No server, no uploads. Your code never leaves your machine.

Step 3

Get your security report

Receive an A-F grade, detailed severity breakdown, and actionable findings. Download reports as JSON or HTML.

Step 1

Provide a source

Enter a GitHub URL, paste content directly, or drag and drop a file.

Step 2

Scan locally in your browser

Aguara runs via WebAssembly. No server, no uploads. Your code stays in your browser.

Step 3

Get your security report

A-F grade, severity breakdown, and downloadable JSON or HTML reports.

Why scan your AI agent tools?

AI agents can execute code, access files, and make network requests on your behalf. A malicious or poorly written skill can leak credentials, exfiltrate data, or run arbitrary commands on your system. Scanning before installing catches these risks before they become incidents.

Prompt injection

Hidden instructions can hijack your AI agent and override its behavior.

Credential theft

Skills can contain or request API keys, tokens, and secrets from your environment.

Code execution

Malicious tools can run shell commands or download scripts on your system.

Scan Any AI Agent Security Vulnerabilities

What the scanner detects

How it works

Provide a source

Scan locally in your browser

Get your security report

Provide a source

Scan locally in your browser

Get your security report

Why scan your AI agent tools?

Files Scanned