Agentwise
π‘οΈ Security scanner for AI agents. Finds vulnerabilities in MCP servers, agent configs, and tool setups. Written in Rust.
Ask AI about Agentwise
Powered by Claude Β· Grounded in docs
I know everything about Agentwise. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Reviews
Documentation
agentwise
The fast, offline security scanner for AI agent configurations.
Think npm audit, but for MCP servers and AI agents.
$ agentwise scan .
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β agentwise v0.1.0 β
β MCP Security Scanner β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Scanned 3 configs (12 servers) in 4ms
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β 3 critical β 5 high β 7 medium β 0 low β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CRITICAL .mcp.json β filesystem AW-002
Filesystem server with dangerous root access
Fix: Add "allowedDirectories" to restrict to project directories
β CRITICAL .mcp.json β quickbooks AW-001
No authentication on remote MCP server
Fix: Add authentication via env vars (AUTH_TOKEN, API_KEY, etc.)
β² HIGH .mcp.json β filesystem AW-006
CVE-2025-53110: Path traversal in server-filesystem <0.6.3
Fix: Upgrade to >=0.6.3
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Score: 12/100 ββββββββββββββββββββββββββββββ Grade: F β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
How it works
Why agentwise?
30+ CVEs against MCP servers in the last 60 days. 36% of MCP servers ship with zero authentication. Your AI agent setup is probably vulnerable.
Every existing scanner is Python, JavaScript, or TypeScript. They need pip install or npm install, pull dozens of dependencies, and some require LLM API calls that cost money per scan.
| agentwise | Snyk agent-scan | Cisco mcp-scanner | mcp-shield | |
|---|---|---|---|---|
| Language | Rust | Python | Python | TypeScript |
| Install | Single binary | pip / uvx | pip | npm |
| Speed class | Milliseconds | Seconds | Seconds | Seconds |
| Offline | Yes | No | No | Yes |
| EPSS scoring | Yes | No | No | No |
| Supply chain | Yes | No | No | No |
| deps.dev | Yes | No | No | No |
Performance (measured)
Measured on macOS arm64, release build, using hyperfine.
agentwise scan latency
| Command | Mean time |
|---|---|
agentwise scan testdata/vulnerable-mcp.json (5 servers) | 3.2 ms |
agentwise scan research/configs/ (109 servers) | 3.9 ms |
Quick head-to-head (same vulnerable fixture)
| Tool | Mean runtime |
|---|---|
agentwise | 3.1 ms |
Cisco mcp-scanner (--analyzers yara) | 2.68 s |
mcp-shield (default run) | 60.62 s |
Notes:
- These are default CLI runs on the same fixture (
testdata/vulnerable-mcp.json). - Some tools attempt live server connections by design, which increases runtime.
- Reproduce locally with the benchmark commands in
research/benchmarks.md.
Real-world findings snapshot
From a scan of 109 MCP server entries collected from public GitHub configs + official docs:
- 130 total findings (13 high, 117 medium)
- 100% missing tool allowlists (AW-007)
- 8.26% had unrestricted filesystem access (AW-002)
- 1.83% exposed hardcoded secrets (AW-004)
- Insecure cleartext transport and wildcard bind exposure (
http://,ws://,0.0.0.0,[::]) still show up in public configs (AW-005)
Full methodology, source attribution, and raw output are in research/FINDINGS.md and research/scan-results.json.
Trust signals
- 4.0 MB release binary
- 255/255 tests passing
- 0 clippy warnings with
-D warnings - 0 known Rust dependency vulnerabilities (
cargo audit)
Install
From crates.io (coming soon)
agentwise is not published on crates.io yet.
Install with Cargo today
cargo install --git https://github.com/brandonwise/agentwise agentwise
Build from source now
git clone https://github.com/brandonwise/agentwise
cd agentwise
cargo build --release
./target/release/agentwise --version
Pre-built binary
curl -sSf https://raw.githubusercontent.com/brandonwise/agentwise/main/install.sh | sh
Homebrew
brew tap brandonwise/tap
brew install agentwise
Scan workflow
Quick Start
# Scan current directory (auto-detects MCP configs)
agentwise scan .
# Scan a specific config file
agentwise scan ~/.mcp.json
# Scan a Codex MCP config
agentwise scan ~/.codex/config.toml
# Live mode: query OSV + EPSS for real-time CVE data
agentwise scan . --live
# Supply chain analysis (npm registry + deps.dev)
agentwise scan . --supply-chain
# Fail CI on high+ severity findings
agentwise scan . --fail-on high
Supported Configs
agentwise auto-detects and scans:
.mcp.jsonβ Claude Code project-level configsclaude_desktop_config.jsonβ Claude Desktop.cursor/mcp.jsonβ Cursor editor~/.codex/config.tomland.codex/config.tomlβ Codex CLI + IDEmcp.jsonβ Generic MCP configs- Any JSON file with
mcpServersorcontext_serverspassed as argument - Any Codex
config.tomlwith[mcp_servers.<name>]tables passed as argument
Threat coverage
Detection Rules
12 built-in rules, covering misconfigurations, known CVEs, and supply chain risks:
| ID | Rule | Severity |
|---|---|---|
| AW-001 | No authentication on remote server | Critical |
| AW-002 | Overpermissioned filesystem access | Critical |
| AW-003 | Unrestricted shell/exec access | Critical |
| AW-004 | Secrets in plaintext config | High |
| AW-005 | Insecure transport or wildcard bind exposure (http://, ws://, 0.0.0.0, [::]) | High |
| AW-006 | Known CVE match (embedded + OSV) | Critical/High |
| AW-007 | Missing tool allowlist | Medium |
| AW-008 | Write-capable tools without opt-in | Medium |
| AW-009 | Unrestricted network/fetch tools | Medium |
| AW-010 | Prompt injection surface | Medium |
| AW-011 | Supply chain risk signals | High/Medium |
| AW-012 | Deep dependency chain (deps.dev) | High/Medium |
Live Mode
The --live flag queries OSV.dev for real-time vulnerability data and FIRST EPSS for exploitation probability scores. This tells you not just what is vulnerable, but how likely it is to be exploited in the wild.
$ agentwise scan . --live
...
β² HIGH .mcp.json β filesystem AW-006 [LIVE]
CVE-2025-53110: Path traversal in server-filesystem <0.6.3
EPSS: 72% exploitation probability (95th percentile)
Fix: Upgrade to >=0.6.3
β Live CVE check: queried OSV for 8 packages (2 new vulnerabilities found)
...
EPSS scores above 50% are flagged as actively exploited in the wild. The --offline flag disables all network queries and uses only the embedded database.
Supply Chain Analysis
The --supply-chain flag analyzes each MCP server's npm package for supply chain risk signals: single-maintainer packages, typosquatting, install scripts, low download counts, and dependency graph depth via deps.dev.
$ agentwise scan . --supply-chain
...
β² HIGH .mcp.json β sketchy-mcp AW-011 [SUPPLY-CHAIN]
Supply chain risk: HIGH for sketchy-mcp
β Single maintainer 'anon42' (account takeover risk)
β Has postinstall script
β 43 weekly downloads
Fix: Review package provenance and consider official @modelcontextprotocol packages
β MEDIUM .mcp.json β some-tool AW-012 [DEPS.DEV]
Deep dependency chain: 247 transitive deps
β 247 transitive dependencies (high risk)
β 2 transitive deps have known advisories
Fix: Review transitive dependencies and update packages with advisories
...
CI/CD Integration
GitHub Actions (manual, available now)
- name: Install agentwise
run: curl -sSf https://raw.githubusercontent.com/brandonwise/agentwise/main/install.sh | sh
- name: Scan MCP configs
run: agentwise scan . --fail-on high --format sarif > agentwise.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: agentwise.sarif
The --fail-on flag exits with code 1 when findings at or above the specified severity are found, gating your pipeline.
Output Formats
agentwise scan . # Colorized terminal output (default)
agentwise scan . --format json # JSON for scripting and pipelines
agentwise scan . --format sarif # SARIF for GitHub Code Scanning
agentwise scan . --format html --output report.html # Dark-themed HTML report
agentwise scan . --format markdown # Markdown for PRs/Notion/Confluence
agentwise badge --format svg --output badge.svg # Shields.io-style SVG badge
agentwise inspect . # Per-server risk posture summary
agentwise inspect . --format json # Machine-readable inspect output
Baseline management
agentwise supports suppressing findings with expiry:
agentwise baseline init
agentwise baseline show
agentwise baseline add --rule AW-007 --server mcp-fetch --reason "trusted tool for now" --expires 2026-12-31
agentwise baseline remove --rule AW-007 --server mcp-fetch
agentwise baseline prune-expired
Parser compatibility
agentwise parses multiple MCP config shapes:
mcpServerscontext_servers(e.g. Zed)lsp.{mcpServers|context_servers}nested blocks
Inspect mode
inspect gives a per-server posture view without changing the AW-* taxonomy:
agentwise inspect .
agentwise inspect ~/.mcp.json --format json
Inspect output includes transport type, auth/allowlist presence, package pinning, and risk tags such as remote_no_auth, unrestricted_network, and broad_filesystem.
Scoring
Every scan produces a security score from 0 to 100:
| Grade | Score | Meaning |
|---|---|---|
| A | 90-100 | Excellent β minimal risk |
| B | 80-89 | Good β minor issues |
| C | 70-79 | Fair β some concerns |
| D | 50-69 | Poor β significant risks |
| F | 0-49 | Critical β immediate action needed |
Scoring weights: Critical = -20, High = -10, Medium = -5, Low = -2.
CVE Database
agentwise ships with an embedded database of 22+ known MCP vulnerabilities, compiled at build time. Notable entries:
- CVE-2025-6514 β Command injection in MCP tool configs (CVSS 10.0)
- CVE-2026-2256 β Prompt-to-RCE via Shell tool in
ms-agent(CVSS 10.0) - CVE-2025-59536 β RCE via Claude Code project files (CVSS 9.8)
- CVE-2026-15503 β Container escape in
mcp-server-docker(CVSS 9.6) - CVE-2026-31024 β SQL injection in
mcp-server-postgres(CVSS 9.1) - CVE-2025-53110 β Path traversal in
server-filesystem - CVE-2025-68143 β Path traversal + argument injection in Git MCP
Update your local cache from OSV at any time:
agentwise update
Roadmap
- 12 detection rules (AW-001 through AW-012)
- Embedded CVE database (22+ entries)
- Live OSV + EPSS enrichment (
--live) - Supply chain analysis (
--supply-chain) - deps.dev dependency graph analysis
- Terminal, JSON, SARIF output
- GitHub Action
- Scoring system (0-100, A-F)
- Auto-discovery (
agentwise scan --auto) - Inspect mode (
agentwise inspect) - Custom rule DSL (YAML)
- Interactive TUI
- Auto-fix (
agentwise fix)
Contributing
See CONTRIBUTING.md. The easiest way to contribute is adding new detection rules β each rule is a single file in src/rules/.
License
MIT License (LICENSE-MIT).
Built by @brandonwise. Because your AI agents deserve better security than "auth": null.