Static analysis. 138+ rules. 15 categories. No API keys, no cloud, no LLM. One binary. Deterministic results. Runs in your CI.
Aguara detects security issues in AI agent skills and MCP server configurations using static analysis. No network calls. No dependencies. Just rules and code.
Single Go binary. No API keys, no cloud, no LLM. Your code never leaves your machine.
Goldmark AST parsing catches obfuscated attacks that regex-only tools miss. Markdown structure analysis and keyword classification.
Source-to-sink flow analysis detects data exfiltration paths across skill instructions and tool definitions.
138+ built-in rules. Extensible with custom YAML. Override severity, disable rules, add your own detection patterns.
GitHub Actions and GitLab CI. SARIF output for code scanning alerts. Fail builds on severity threshold.
Same input, same output. Every time. No probabilistic scoring, no LLM variance. Reproducible results you can trust in CI.
One command to scan your skills directory. Findings are ranked by severity with file locations and rule references.
From prompt injection to supply chain attacks. Each rule includes test cases for true positives and false positives.
| Category | Rules | Coverage |
|---|---|---|
| Prompt Injection | 17 + NLP | Instruction overrides, role switching, delimiter injection, jailbreaks |
| Data Exfiltration | 16 + NLP | Webhooks, DNS tunneling, env var leaks, sensitive file reads |
| Credential Leak | 17 | API keys (OpenAI, AWS, GCP, Stripe), private keys, DB strings |
| Supply Chain | 14 | Download-execute patterns, reverse shells, privilege escalation |
| External Download | 16 | Binary downloads, curl-pipe-shell, auto-installs |
| Command Execution | 13 | shell=True, eval, subprocess, child_process |
| MCP Attack | 11 | Tool injection, name shadowing, manifest tampering |
| MCP Config | 8 | Unpinned npx servers, hardcoded secrets |
| SSRF & Cloud | 8 | Metadata endpoints, IMDS, Docker socket |
| Indirect Injection | 7 | Fetch-and-follow, remote config loading |
| Unicode Attack | 7 | RTL override, bidi characters, homoglyphs |
| Third-Party Content | 4 | Mutable content, unvalidated responses |
| Toxic Flow | 3 | User input to sink flows |
The first public dashboard that unifies and scans the 5 largest skill registries daily. Open data. Real findings. Updated continuously.
Drop Aguara into your pipeline. Block risky skills before they reach production.
# .github/workflows/security.yml - name: Scan skills run: | go install github.com/garagon/aguara/cmd/aguara@latest aguara scan .claude/skills/ --ci
# .gitlab-ci.yml security-scan: script: - go install github.com/garagon/aguara/cmd/aguara@latest - aguara scan .claude/skills/ --format sarif -o gl-sast-report.sarif --fail-on high
MIT License. Built in Go. Ready for your pipeline.