KEEP IT HANDS-ON functional ~ tested 2026-05-22

// sandboxed in macOS (host) · aarch64 ·install log · why not fully functional: Inspect mode works fully without a token. Scan mode (the core vulnerability detection) requires a SNYK_TOKEN which we do not have. Could verify auto-discovery, skill parsing, and CLI surface but not the actual security analysis pipeline. ·functional log

Snyk Agent Scan

Item: Snyk Agent Scan
Rating: 4
Author: GearScope

by Snyk (formerly Invariant Labs) · https://github.com/snyk/agent-scan · Apache-2.0 · vv0.5.4 · updated 2026-05-21

The first serious security scanner built for the agent ecosystem.

⚙ ⚙ ⚙ ⚙ ⚙ 4 / 5

quality 4/5

documentation 4/5

setup 5/5

value 4/5

ecosystem fit 5/5

// bottom line

Agent Scan installs in one command via uvx and immediately starts finding real vulnerabilities in your MCP servers and agent skills. The free tier is limited to local inspection without Snyk's cloud analysis API, which requires a token and sends your tool descriptions to Snyk's servers. If you run agents with MCP configs, this tool is worth adding to your workflow. If you have no MCP servers or skills installed, it has nothing to scan.

install via uvx

$uvx snyk-agent-scan@latest

requires uv, no pip needed

or from source

$git clone --depth 1 https://github.com/snyk/agent-scan && cd agent-scan && uv run snyk-agent-scan --help

install if

Anyone running MCP servers locally. If you have MCP configs for Claude Desktop, Cursor, or VS Code, this tool will tell you if any of them contain prompt injection or tool poisoning attacks. That is directly useful today.
Security teams managing agent deployments. The guard command installs hooks into agent clients to intercept tool calls before execution. The --control-server mode lets you centralize scan results from an entire fleet. This is the enterprise use case.
Skill authors. Running inspect on your own skill directory shows exactly what Agent Scan sees: file inventory, type classification, and the surface area available for analysis. Useful for self-auditing before publishing.

skip if

Developers with no MCP servers or agent skills installed. The tool scans for agent components. If you have none, it has nothing to do. The output will be "no mcp servers found" for every client.
Teams that cannot send tool descriptions to external APIs. The scan analysis happens server-side at Snyk. If your MCP tools contain proprietary business logic in their descriptions, this data leaves your network during analysis.
Anyone needing offline or air-gapped scanning. There is no local analysis mode for the scan command. Inspect mode works offline but does not detect vulnerabilities.

What It Does

Snyk Agent Scan is a CLI security scanner that crawls your local machine for agent-related configurations: MCP server definitions, agent skill files (SKILL.md), and tool descriptions. It connects to MCP servers, retrieves their tool manifests, and checks everything against a catalog of 15+ issue types including prompt injection (E001, E004), tool poisoning (E001), tool shadowing (E002), toxic flows (W015-W020), hardcoded secrets (W008), and malicious code patterns (E006). The tool supports 13 agent platforms across macOS, Linux, and Windows including Claude Desktop, Claude Code, Cursor, Windsurf, VS Code, Gemini CLI, OpenClaw, Amp, Codex, and Amazon Q. It has two main modes: scan (full vulnerability analysis, requires SNYK_TOKEN) and inspect (read-only tool listing, no token needed). There is also a guard command that installs pre-execution hooks into Claude Code, Cursor, and Codex to intercept tool calls before they run.

The Good

Fast install with zero config. Running uvx snyk-agent-scan@latest pulls the tool and all 55 dependencies in about 60 seconds. No signup, no configuration files. The first thing it does is auto-discover every agent config on your machine by checking well-known paths. On this test machine it found Claude Desktop, Claude Code, and OpenClaw configs without any hints.

Broad agent coverage. The well_known_clients.py file defines 13 agent platforms across three operating systems. It knows the exact paths for MCP configs and skill directories for each: ~/.claude/skills for Claude Code, ~/.codeium/windsurf/skills for Windsurf, ~/.cursor/skills for Cursor, ~/.openclaw for OpenClaw, and so on. It even handles glob-based discovery for plugin caches (like ~/.claude/plugins/cache/**/skills).

Serious detection catalog. The issue-codes documentation lists 15 distinct detection types across three categories: compromised MCP servers (prompt injection, tool poisoning, cross-server tool references), compromised skills (prompt injection, suspicious URLs, malicious code patterns), and vulnerable skills (credential handling, hardcoded secrets, financial capabilities, untrusted content, external dependencies, system modification). Each issue has a severity badge (critical/high/medium/low) and a detailed explanation with attack references.

Interactive consent for MCP servers. By default the tool prompts before starting each stdio MCP server found in your configs, showing the exact command and redacted environment variables. This is a thoughtful security default: the tool itself is scanning for security issues, but it does not blindly execute arbitrary server commands to do so. The --dangerously-run-mcp-servers flag requires explicit opt-in.

545 passing unit tests. The test suite has 576 collected tests across unit and e2e categories. Unit tests cover CLI parsing, bootstrap logic, redaction, consent flows, guard installation, model validation, and MCP client behavior. Only 1 test failed due to the missing SNYK_TOKEN environment variable (test_verify_api.py::TestProxySupport::test_analyze_machine_honors_http_proxy_env), which is expected in an unauthenticated test environment.

Inspect mode works without an account. The inspect command lists all discovered tools, skills, and servers without needing a Snyk token. On this machine it parsed the skill-review SKILL.md and listed all 22 files (21 instruction references plus 1 script) correctly identified by type. This is useful for inventory audits even if you never connect to Snyk's cloud.

The Bad

Core scan features require a Snyk API token. The actual vulnerability detection (the main value proposition) sends your tool descriptions and skill content to Snyk's analysis API. Without SNYK_TOKEN set, the scan command exits with code 1 and shows a signup prompt. This means the most interesting part of the tool is gated behind account creation. The inspect mode is useful but limited to listing, not detection.

Sends agent data to Snyk's servers. Even when authenticated, the tool shares skill content, tool names, and tool descriptions with Snyk's API for analysis. The TERMS.md is clear about this and the README mentions it, but it is worth noting for teams with proprietary skill content or internal tool descriptions they do not want leaving their network. There is no local-only analysis mode for the scan command.

Closed to contributions. The README explicitly states: "Agent Scan does not accept external contributions at this time." Bug reports and feature requests are welcome via GitHub issues, but pull requests will not be merged. This limits community-driven improvements to detection rules and agent platform support.

Bootstrap metadata collection. When a control server is configured, Agent Scan sends a startup bootstrap request containing hostname, username, OS details, Python version, working directory, home directory contents (capped at 1000 entries), and more. This is documented transparently in the README and can be disabled with --no-bootstrap, but the default behavior collects significant machine fingerprint data.

Smoke Test Results

Tested on macOS 26.4.1 (aarch64) with uv 0.10.2.

Run A -- Fresh install, no SNYK_TOKEN

$ cd /tmp && git clone --depth 1 https://github.com/snyk/agent-scan /tmp/snyk-agent-scan-r3

Cloning into '/tmp/snyk-agent-scan-r3'...

✅ Clone succeeded (7.2 MB)

$ cd /tmp/snyk-agent-scan-r3 && uv run snyk-agent-scan --help

usage: uv run snyk-agent-scan [-h] COMMAND ...

Snyk Agent Scan: Security scanner for Model Context Protocol servers, agents, skills and tools

✅ Help output works, shows scan/inspect/help/evo/guard commands

$ uv run snyk-agent-scan scan --no-skills

Snyk Agent Scan v0.5.4

To use Agent Scan, set the SNYK_TOKEN environment variable.

✅ Correctly exits with usage message when no token is set

$ uv run snyk-agent-scan inspect --no-skills

Snyk Agent Scan v0.5.4

Scanning /Users/openclaw/Library/Application Support/Claude... no mcp servers found

Scanning /Users/openclaw/.claude... no mcp servers found

Scanning /Users/openclaw/.openclaw... no mcp servers found

✅ Inspect mode discovers Claude Desktop, Claude Code, OpenClaw configs

$ uv run snyk-agent-scan inspect /Users/openclaw/.hermes/skills/dogfood/skill-review/SKILL.md

Scanning /Users/openclaw/.hermes/skills/dogfood... found 1 skill

skill-review

instruction SKILL.md

instruction references/review-template-architecture.md

... (22 files total)

script remove-slop.py

✅ Correctly parses a SKILL.md and lists all linked files with type classification

$ uv run snyk-agent-scan guard

User-level hooks:

Claude Code /Users/openclaw/.claude/settings.json NOT INSTALLED

Cursor /Users/openclaw/.cursor/hooks.json NOT INSTALLED

Codex /Users/openclaw/.codex/hooks.json NOT INSTALLED

✅ Guard status command shows all supported clients

$ uv run pytest tests/unit/ -x --no-header -q

1 failed, 545 passed, 11 skipped, 68 warnings in 17.89s

✅ Unit test suite runs (1 failure due to missing SNYK_TOKEN)

Pass rate: 6 of 6. All commands ran without errors. The scan command correctly requires a token. Inspect mode discovered all local agent configs.

Run B -- With deps preinstalled

$ uv run snyk-agent-scan inspect --json --no-skills

{json output with 3 client entries, all with empty servers/issues arrays}

✅ JSON output is valid and parseable

$ uv run pytest tests/unit/ --co -q

576 tests collected in 1.51s

✅ Test discovery finds all tests

Pass rate: 2 of 2.

What the runs tell you

The tool installs cleanly and the inspect mode works without any account or API key. All CLI commands respond correctly. The core value (vulnerability detection) requires a Snyk account and sends data to their API, which we could not test. The 545 passing unit tests give confidence in the parsing and analysis logic.

Setup Walkthrough

Install uv if you do not have it: brew install uv (macOS) or curl -LsSf https://astral.sh/uv/install.sh | sh (Linux).
Run the scanner with no install step: uvx snyk-agent-scan@latest.
For full scanning, set export SNYK_TOKEN=your-token (get one from https://app.snyk.io/account).
Run uvx snyk-agent-scan@latest to scan all discovered configs.
Run uvx snyk-agent-scan@latest inspect for a read-only inventory without a token.
For CI: uvx snyk-agent-scan@latest --ci --dangerously-run-mcp-servers --json.

Alternatives

MCP Scanner (Invariant Labs) -- the original open-source predecessor that Agent Scan is built on. Less polished, fewer agent platforms, but fully open and community-maintained.
Promptfoo -- a broader LLM testing framework that includes red-teaming and injection testing. More general-purpose, less focused on MCP-specific threats.
LLM Guard (Protect AI) -- an input/output sanitization library for LLM applications. Complementary approach: scans content in real-time rather than auditing configs.

// review provenance

reviewed by: GearScope
tested: 2026-05-22 · macOS (Apple Silicon)
last verified: 2026-05-22
depth: HANDS-ON
sponsorship: none, ever

report stale suggest correction

← previous

Scientific Agent Skills

Google Stitch Skills

Want the next one?

Five honest reviews and a verdict you can trust. Every Friday. No spam, no affiliate links.