vigile-scan

Security scanner for MCP servers and AI agent skills. Detect tool poisoning, credential theft, data exfiltration, and supply chain attacks — before they reach your machine.

Quick Start

npx vigile-scan

No install, no config. Vigile discovers your MCP server configurations and agent skill files, scans them against 59 detection rules, and returns a trust score for each one.

What It Detects

MCP Server Threats (22 patterns + 5 inline checks)

ID	Category	What It Catches
TP-001–008	Tool Poisoning	Prompt overrides, hidden manipulation, cross-tool injection, whitespace hiding, system prompt references, secrecy directives
EX-001–007	Data Exfiltration	SSH key access, AWS credentials, .env files, credential files, suspicious URLs, crypto wallet access, browser data
PM-001–004	Permission Abuse	Code execution (eval/spawn), unrestricted filesystem, network requests, sensitive path access
OB-001–004	Obfuscation	Base64 content, zero-width Unicode, hex-encoded strings, Unicode escapes
EV/AR/CM	Inline Checks	Sensitive env vars, security bypass flags, sensitive directory args, auto-install (npx -y), typosquatting

Agent Skill Threats (32 patterns)

ID	Category	What It Catches
SK-001–006	Instruction Injection	Role hijacking, instruction override, hidden markdown instructions, conditional triggers, cross-skill poisoning, invisible Unicode
SK-010–014	Malware Delivery	Remote script piping, reverse shells, suspicious install prerequisites, encoded payloads, typosquatted packages
SK-020–023	Stealth Operations	Silent action directives, output suppression, history/log evasion, deceptive user responses
SK-030–033	Safety Bypass	Confirmation bypass, safety feature disable, force flags, root/sudo escalation
SK-040–043	Persistence Abuse	Startup file modification, memory file tampering, cron jobs, git hook injection
SK-050–053	Data Exfiltration	Credential harvesting, URL-based exfiltration, filesystem enumeration, env var dumping
SK-060–064	Location Guard	GPS spoofing, location-aware triggers, geo-targeting attacks, location-based access control bypass

Platforms

Vigile auto-discovers configurations from:

• Claude Desktop — claude_desktop_config.json
• Claude Code — CLAUDE.md, .claude/ skill files
• Cursor — .cursor/rules/*.mdc, .cursorrules
• GitHub Copilot — .github/copilot/**/*.md, copilot-instructions.md
• Windsurf — windsurf.json, .windsurfrules
• VS Code — .vscode/mcp.json
• OpenClaw — ~/.openclaw/openclaw.json, openclaw.config.json

Usage

vigile-scan [options]

Scan Options

Flag	Description
(no flags)	Scan all MCP servers on this machine
-s, --skills	Scan agent skills only (SKILL.md, .mdc rules, CLAUDE.md)
-a, --all	Scan both MCP servers and agent skills
-j, --json	Output results as JSON
-v, --verbose	Show detailed findings and score breakdown
-c, --config <path>	Path to a custom MCP config file
-o, --output <path>	Write results to a file
--client <name>	Only scan a specific client (claude-desktop, cursor, claude-code, windsurf, vscode, openclaw)
--no-upload	Skip uploading scan results to Vigile API

Sentinel Runtime Monitoring (Pro)

Flag	Description
--sentinel	Enable runtime phone-home detection
--sentinel-server <name>	Monitor a specific MCP server by name
--sentinel-duration <sec>	Monitoring duration in seconds (default: 120)

Authentication

# Authenticate with your API key (get one at https://vigile.dev/account)
vigile-scan auth login <vgl_your_api_key>

# Check auth status
vigile-scan auth status

# Log out
vigile-scan auth logout

You can also set VIGILE_TOKEN as an environment variable for CI/CD.

Examples

Scan everything

npx vigile-scan --all

JSON output for CI/CD

npx vigile-scan --json --all > vigile-report.json

Scan a specific client

npx vigile-scan --client cursor

Verbose output with score breakdown

npx vigile-scan --all --verbose

GitHub Actions

- name: Vigile Security Scan
  run: npx vigile-scan --all --json -o vigile-report.json
  env:
    VIGILE_TOKEN: ${{ secrets.VIGILE_TOKEN }}

- name: Fail on critical findings
  run: |
    critical=$(jq '.bySeverity.critical' vigile-report.json)
    if [ "$critical" -gt 0 ]; then exit 1; fi

A dedicated GitHub Action (vigile-github-action) is also available for deeper CI/CD integration.

Trust Scores

Every scanned item gets a trust score from 0–100:

Score	Level	Meaning
80–100	Trusted	No significant issues found
60–79	Caution	Minor issues — review recommended
40–59	Risky	Significant issues — investigate before using
0–39	Dangerous	Critical issues — do not install

The score is a weighted composite of five factors: code analysis (30%), dependency health (20%), permission safety (20%), behavioral stability (15%), and transparency (15%).

Exit Codes

Code	Meaning
0	Scan complete, no critical or high findings
1	Critical or high severity findings detected

This makes vigile-scan work natively in CI/CD pipelines — a non-zero exit fails the build.

Sentinel: Runtime Monitoring

Static scanning catches what's in the code. Sentinel catches what the code actually does on the wire.

When you run --sentinel, Vigile intercepts outbound network traffic from your MCP servers and flags:

• C2 beaconing — periodic callbacks to unknown servers
• Credential theft — API keys, tokens, or secrets sent over the network
• DNS tunneling — data exfiltration hidden in DNS queries
• Unexpected destinations — connections to IPs/domains outside the expected set

Sentinel is available on Pro ($30/mo) and Pro+ ($100/mo) plans. Free users can run static scans with no limits.

Pricing

Tier	Price	Highlights
Free	$0/forever	Unlimited CLI scans, 50 API scans/month, registry browsing
Pro	$30/mo	Sentinel monitoring (5 min, 3 servers), 1,000 API scans
Pro+	$100/mo	Sentinel (30 min, 10 servers), DNS tunneling & C2 detection, alerts

Annual plans available at vigile.dev/pricing.

Links

• Web Scanner & Registry — vigile.dev
• GitHub — github.com/Vigile-ai/vigile-scan
• Report Issues — github.com/Vigile-ai/vigile-scan/issues

License

Apache-2.0