Skip to content
AgentIntentCode ReviewSlackCLIContext Engine MCPChangelog
Context EnginePricingDocsBlog
CustomersCareersContextWikiStatus PageTrust CenterSecurity
Talk to SalesSign in
Install
mcp-registry/Snyk Agent Scan
Snyk Agent Scan logo

Snyk Agent Scan

Author: snyk

Description: Security scanner CLI for AI agents, MCP servers, and agent skills. Auto-discovers local agent configurations (e.g., Claude, Cursor, Windsurf, Gemini CLI), connects to MCP servers to fetch tool descriptions, and scans for 15+ risks such as prompt injection, tool poisoning/shadowing, toxic flows, malware payloads, untrusted content, credential handling, and hardcoded secrets. Requires a Snyk account/API token (SNYK_TOKEN).

Stars: 1.9k

Forks: 188

License: Apache License 2.0

Category: Enterprise

GitHubWebsiteDocumentation

Overview

Installation

### Prerequisites
1. Sign up at [https://snyk.io](https://snyk.io) and get an API token from [https://app.snyk.io/account](https://app.snyk.io/account) (API Token  KEY  click to show).
2. Set the token as an environment variable:```bash
export SNYK_TOKEN=your-api-token-here
3. Install `uv` (per the README link): [https://docs.astral.sh/uv/getting-started/installation/](https://docs.astral.sh/uv/getting-started/installation/) ### Run (Quick Start) Run a full scan (auto-discovers agents, MCP servers, skills):
uvx snyk-agent-scan@latest
Scan specific inputs:
# scan mcp configurations
uvx snyk-agent-scan@latest ~/.vscode/mcp.json
# scan a single agent skill
uvx snyk-agent-scan@latest ~/path/to/my/SKILL.md
# scan all claude skills
uvx snyk-agent-scan@latest ~/.claude/skills
### Demo (vulnerable MCP server included in this repo) 1. Clone this repository. 2. Create an `mcp.json` in the repo root with:```jsonc { "mcpServers": { "Demo MCP Server": { "type": "stdio", "command": "uv", "args": ["run", "mcp", "run", "demoserver/server.py"], }, }, }
3. Run Agent Scan:```bash
uvx --python 3.13 snyk-agent-scan@latest scan --full-toxic-flows mcp.json
### Development setup (run from source)
uv run pip install -e .
uv run -m src.agent_scan.cli

01

snyk-agent-scan

CLI entrypoint that scans the current machine to discover agent components (agents, MCP servers, skills) and report security risks; defaults to running the scan command.

02

scan

Scan MCP configurations (and discovered components) for security vulnerabilities in tools, prompts, and resources; invoked as `snyk-agent-scan scan [CONFIG_FILE...]`.

03

inspect

Connect to MCP servers and print descriptions of tools, prompts, and resources without performing verification; invoked as `snyk-agent-scan inspect [CONFIG_FILE...]`.

04

help

Display detailed help information and usage examples; invoked as `snyk-agent-scan help`.

FAQs

What specific data does Snyk Agent Scan send to the cloud API, and are there privacy concerns with transmitting tool descriptions?

Agent Scan transmits tool names, descriptions, and scan metadata to Snyk's cloud API. Privacy concerns arise because tool descriptions may inadvertently expose internal project details, naming conventions, or business logic. Teams in regulated industries or with strict data residency requirements should review whether their tool metadata can leave the network before enabling cloud-backed scanning.

What are the alternatives to Snyk Agent Scan for teams that need offline or air-gapped MCP security scanning?

Teams requiring air-gapped MCP scanning can use mcp-guard, which runs locally without cloud dependencies according to its repository. For offline static analysis, teams may implement custom YARA rules or pattern-matching scripts targeting MCP tool schemas. Another approach involves isolated network segments where scanning tools access internal threat intelligence feeds rather than external APIs, though this requires maintaining detection signatures internally.

How do I set up Snyk Agent Scan in a CI/CD pipeline to automatically detect MCP configuration drift?

Export your Snyk API token as an environment variable in your CI runner, then invoke Agent Scan with JSON output and state tracking flags. Store the results file as a build artifact between runs so subsequent scans can diff against the previous state and catch tool definition changes. The exit code will fail the build when new issues appear.

How does toxic flow analysis work across multiple MCP servers, and what does a detected exfiltration chain look like?

Toxic flow analysis identifies when safe tools combine to create risk. For example, one tool reads local files while another uploads externally—individually harmless, together forming an exfiltration chain. Agent Scan flags these patterns and shows the top three tools by default, or all with --full-toxic-flows, helping teams spot composite risks invisible in single-tool audits.

What are the differences between using STDIO and Streamable HTTP for MCP servers?

STDIO uses direct process communication where the client spawns the MCP server locally via standard input/output streams. Streamable HTTP uses remote HTTP POST requests with optional Server-Sent Events for streaming. STDIO offers lower latency and simpler setup but runs only locally, while HTTP enables remote deployment, multiple concurrent clients, and centralized updates for production systems.

Can you explain the role of Dynamic Client Registration (DCR) in MCP Server setup?

Dynamic Client Registration allows MCP clients to self-register with an authorization server via OAuth 2.0 (RFC 7591) by posting metadata like redirect URIs, triggering automatic token issuance. This eliminates manual pre-configuration for clients such as Claude Desktop or VS Code, though it requires enabling DCR in platforms like Auth0 and introduces risks like resource exhaustion from open endpoints.

License: Apache License 2.0
Updated 3/17/2026