The fast, offline security scanner for AI agent configurations.

Think npm audit, but for MCP servers and AI agents.

$ agentwise scan .

  ╔══════════════════════════════════════════════════════════════╗
  ║  agentwise v0.1.0                                          ║
  ║  MCP Security Scanner                                      ║
  ╚══════════════════════════════════════════════════════════════╝

  ● Scanned 3 configs (12 servers) in 4ms

  ┌──────────────────────────────────────────────────────────────┐
  │  ■ 3 critical  ■ 5 high  ■ 7 medium  ■ 0 low               │
  └──────────────────────────────────────────────────────────────┘

  ✖ CRITICAL  .mcp.json → filesystem  AW-002
    Filesystem server with dangerous root access
    Fix: Add "allowedDirectories" to restrict to project directories

  ✖ CRITICAL  .mcp.json → quickbooks  AW-001
    No authentication on remote MCP server
    Fix: Add authentication via env vars (AUTH_TOKEN, API_KEY, etc.)

  ▲ HIGH      .mcp.json → filesystem  AW-006
    CVE-2025-53110: Path traversal in server-filesystem <0.6.3
    Fix: Upgrade to >=0.6.3

  ╔══════════════════════════════════════════════════════════════╗
  ║  Score: 12/100  ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░  Grade: F   ║
  ╚══════════════════════════════════════════════════════════════╝

30+ CVEs against MCP servers in the last 60 days. 36% of MCP servers ship with zero authentication. Your AI agent setup is probably vulnerable.

Every existing scanner is Python, JavaScript, or TypeScript. They need pip install or npm install, pull dozens of dependencies, and some require LLM API calls that cost money per scan.

Measured on macOS arm64, release build, using hyperfine.

Notes:

• These are default CLI runs on the same fixture (testdata/vulnerable-mcp.json).
• Some tools attempt live server connections by design, which increases runtime.
• Reproduce locally with the benchmark commands in research/benchmarks.md.

From a scan of 109 MCP server entries collected from public GitHub configs + official docs:

• 130 total findings (13 high, 117 medium)
• 100% missing tool allowlists (AW-007)
• 8.26% had unrestricted filesystem access (AW-002)
• 1.83% exposed hardcoded secrets (AW-004)
• Insecure HTTP transport still present in public configs (AW-005)

Full methodology, source attribution, and raw output are in research/FINDINGS.md and research/scan-results.json.

• 4.0 MB release binary
• 203/203 tests passing
• 0 clippy warnings with -D warnings
• 0 known Rust dependency vulnerabilities (cargo audit)

agentwise is not published on crates.io yet.

cargo install --git https://github.com/brandonwise/agentwise agentwise

git clone https://github.com/brandonwise/agentwise
cd agentwise
cargo build --release
./target/release/agentwise --version

curl -sSf https://raw.githubusercontent.com/brandonwise/agentwise/main/install.sh | sh

brew tap brandonwise/tap
brew install agentwise

# Scan current directory (auto-detects MCP configs)
agentwise scan .

# Scan a specific config file
agentwise scan ~/.mcp.json

# Live mode: query OSV + EPSS for real-time CVE data
agentwise scan . --live

# Supply chain analysis (npm registry + deps.dev)
agentwise scan . --supply-chain

# Fail CI on high+ severity findings
agentwise scan . --fail-on high

agentwise auto-detects and scans:

• .mcp.json — Claude Code project-level configs
• claude_desktop_config.json — Claude Desktop
• .cursor/mcp.json — Cursor editor
• mcp.json — Generic MCP configs
• Any JSON file with mcpServers passed as argument

12 built-in rules, covering misconfigurations, known CVEs, and supply chain risks:

The --live flag queries OSV.dev for real-time vulnerability data and FIRST EPSS for exploitation probability scores. This tells you not just what is vulnerable, but how likely it is to be exploited in the wild.

$ agentwise scan . --live

  ...

  ▲ HIGH      .mcp.json → filesystem  AW-006 [LIVE]
    CVE-2025-53110: Path traversal in server-filesystem <0.6.3
    EPSS: 72% exploitation probability (95th percentile)
    Fix: Upgrade to >=0.6.3

  ● Live CVE check: queried OSV for 8 packages (2 new vulnerabilities found)

  ...

EPSS scores above 50% are flagged as actively exploited in the wild. The --offline flag disables all network queries and uses only the embedded database.

The --supply-chain flag analyzes each MCP server's npm package for supply chain risk signals: single-maintainer packages, typosquatting, install scripts, low download counts, and dependency graph depth via deps.dev.

$ agentwise scan . --supply-chain

  ...

  ▲ HIGH      .mcp.json → sketchy-mcp  AW-011 [SUPPLY-CHAIN]
    Supply chain risk: HIGH for sketchy-mcp
    ├ Single maintainer 'anon42' (account takeover risk)
    ├ Has postinstall script
    └ 43 weekly downloads
    Fix: Review package provenance and consider official @modelcontextprotocol packages

  ● MEDIUM    .mcp.json → some-tool  AW-012 [DEPS.DEV]
    Deep dependency chain: 247 transitive deps
    ├ 247 transitive dependencies (high risk)
    └ 2 transitive deps have known advisories
    Fix: Review transitive dependencies and update packages with advisories

  ...

- name: Install agentwise
  run: curl -sSf https://raw.githubusercontent.com/brandonwise/agentwise/main/install.sh | sh

- name: Scan MCP configs
  run: agentwise scan . --fail-on high --format sarif > agentwise.sarif

- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: agentwise.sarif

The --fail-on flag exits with code 1 when findings at or above the specified severity are found, gating your pipeline.

agentwise scan .                                        # Colorized terminal output (default)
agentwise scan . --format json                          # JSON for scripting and pipelines
agentwise scan . --format sarif                         # SARIF for GitHub Code Scanning
agentwise scan . --format html --output report.html     # Dark-themed HTML report
agentwise scan . --format markdown                      # Markdown for PRs/Notion/Confluence
agentwise badge --format svg --output badge.svg         # Shields.io-style SVG badge

Every scan produces a security score from 0 to 100:

Scoring weights: Critical = -20, High = -10, Medium = -5, Low = -2.

agentwise ships with an embedded database of 22+ known MCP vulnerabilities, compiled at build time. Notable entries:

• CVE-2025-6514 — Command injection in MCP tool configs (CVSS 10.0)
• CVE-2026-2256 — Prompt-to-RCE via Shell tool in ms-agent (CVSS 10.0)
• CVE-2025-59536 — RCE via Claude Code project files (CVSS 9.8)
• CVE-2026-15503 — Container escape in mcp-server-docker (CVSS 9.6)
• CVE-2026-31024 — SQL injection in mcp-server-postgres (CVSS 9.1)
• CVE-2025-53110 — Path traversal in server-filesystem
• CVE-2025-68143 — Path traversal + argument injection in Git MCP

Update your local cache from OSV at any time:

agentwise update

• 12 detection rules (AW-001 through AW-012)
• Embedded CVE database (22+ entries)
• Live OSV + EPSS enrichment (--live)
• Supply chain analysis (--supply-chain)
• deps.dev dependency graph analysis
• Terminal, JSON, SARIF output
• GitHub Action
• Scoring system (0-100, A-F)
• Auto-discovery (agentwise scan --auto)
• Custom rule DSL (YAML)
• Interactive TUI
• Auto-fix (agentwise fix)

See CONTRIBUTING.md. The easiest way to contribute is adding new detection rules — each rule is a single file in src/rules/.

MIT License (LICENSE-MIT).

Built by @brandonwise. Because your AI agents deserve better security than "auth": null.