Noureddine RAMDI / Snyk Agent Scan: interactive security scanning for AI agent components

Created Mon, 04 May 2026 10:23:02 +0000 Modified Sat, 23 May 2026 20:41:27 +0000
880 Words
github-stars python security cli ai-agent mcp-server snyk

snyk/agent-scan

Snyk Agent Scan tackles a growing security concern in AI development: vulnerabilities hidden inside AI agent components like MCP servers, agent skills, and tools. It’s a Python-based CLI scanner designed to discover and analyze these components on your machine, detecting over 15 distinct security risks including prompt injections, tool poisoning, tool shadowing, malware payloads, and hardcoded secrets. What stands out is its interactive consent model that explicitly asks for user approval before running any MCP server commands—adding a layer of protection during the scanning process itself.

what snyk agent scan does and how it works

At its core, Snyk Agent Scan is a security scanner tailored to the AI agent ecosystem. It automatically discovers agent configurations installed across popular AI IDEs and environments such as Claude Code/Desktop, Cursor, Windsurf, Gemini CLI, and VS Code, running on macOS, Linux, and Windows. This discovery spans MCP servers, agent skills, and tools.

The scanner operates in two modes: an interactive CLI mode and a background mode. The interactive CLI mode requires explicit user consent before executing MCP server commands it finds during the scan. This prevents untrusted or malicious code from running without scrutiny—a thoughtful UX-security tradeoff. The background mode supports integration with MDM or Crowdstrike for automated, continuous monitoring.

Under the hood, the tool is implemented in Python and uses uvx to execute scanning commands across platforms. It requires a Snyk API token for authenticating API requests that analyze components for vulnerabilities. The scan includes both local static checks and API-based vulnerability lookups via the Snyk Agent Scan API.

The scanner detects a broad range of security issues relevant to AI agents, including but not limited to:

  • Prompt injection attacks that manipulate AI behavior
  • Tool poisoning where malicious tools are introduced
  • Tool shadowing which hides dangerous code behind trusted names
  • Toxic flows that propagate harmful instructions
  • Malicious payloads embedded in code or configurations
  • Hardcoded secrets like API keys or tokens

This breadth of detection is crucial given the complexity and novelty of AI agent supply chains.

What distinguishes Snyk Agent Scan is its interactive consent mechanism before executing MCP server commands during scanning. Instead of silently running discovered server commands—which could itself be an attack vector—the tool displays the exact command and its environment variables (with sensitive data redacted). It then prompts the user to explicitly approve (y/n) each command before execution.

This approach mitigates the risk of executing malicious code during scanning, which is a subtle but significant security concern. It also gives developers insight into what the scanner is doing under the hood, improving transparency and trust.

The tradeoff here is user interaction overhead: scans aren’t fully automated and require manual approval, which might be cumbersome in CI/CD pipelines or large environments. However, the tool’s background mode is designed to address automated enterprise use cases.

Architecturally, the code cleanly separates the scanning logic from the user prompt flow, making it easier to maintain and extend. The interactive CLI mode enhances developer experience by balancing thoroughness with safety.

quick start

To try Snyk Agent Scan, follow these exact steps from the README:

  1. Sign up at Snyk and get an API token from https://app.snyk.io/account (API Token → KEY → click to show).

  2. Set the token as an environment variable before running any scan:

export SNYK_TOKEN=your-api-token-here
  1. Have uv installed on your system.

Scanning

Run a full scan of your machine (auto-discovers agents, MCP servers, skills):

uvx snyk-agent-scan@latest

This scans for vulnerabilities in MCP servers, tools, prompts, and resources, automatically discovering configurations for Claude Code/Desktop, Cursor, Gemini CLI, and Windsurf.

To also auto-discover and scan agent skills, add the --skills flag:

uvx snyk-agent-scan@latest --skills

You can also scan specific MCP config files or skills by providing their paths.

Development setup

To run the agent scan from source:

uv run pip install -e .
uv run -m src.agent_scan.cli

This setup is straightforward for anyone familiar with Python development.

verdict

Snyk Agent Scan is a pragmatic tool addressing a nuanced security challenge in AI agent development. Its ability to detect 15+ distinct risks across MCP servers and agent skills is valuable for teams shipping AI agents with complex configurations.

The interactive consent flow is a standout feature that prevents the scanner itself from becoming a security risk. This makes it well suited for security-conscious developers who want to audit their AI agent environments safely.

That said, the need for a Snyk API token and the manual approval steps may limit fully automated pipeline integrations. The background mode partially mitigates this but may require enterprise setup.

For anyone building or maintaining AI agents, especially in environments with multiple MCP servers and third-party skills, this tool offers a solid balance of depth, safety, and usability. It’s worth exploring if you want to gain visibility into potential vulnerabilities in your AI agent supply chain without risking scanning operations themselves.

→ GitHub Repo: snyk/agent-scan ⭐ 2,316 · Python