agentshield

Discovers Claude-related configuration files (settings.json, mcp.json, CLAUDE.md) across the filesystem and runs them through a curated registry of 102+ static analysis rules organized by threat category (secrets, permissions, hooks, MCP, prompt injection). Each rule produces a Finding object with severity level, vulnerability description, and remediation steps, enabling systematic detection of misconfigurations before runtime.

Scans configuration files for exposed API keys, tokens, and private keys using pattern matching rules for Anthropic, OpenAI, AWS, and other providers. Detects both common formats (e.g., sk-* prefixes) and entropy-based anomalies in string values, flagging findings with severity levels and remediation steps recommending environment variable substitution or secret management tools.

Validates the authenticity and trustworthiness of MCP server sources by cross-referencing against known-good registries, checking maintainer reputation, and verifying code signatures. Assesses maintenance status (last update, active development, community engagement) to identify abandoned or unmaintained servers that pose supply chain risks. Integrates with GitHub API to gather maintainer and repository metadata.

Aggregates findings from all scanning modules (static rules, deep scan, taint analysis, injection testing, sandbox monitoring) and computes a composite vulnerability severity score based on exploitability, impact, and blast radius. Prioritizes findings for remediation using a scoring engine that considers attack complexity, required privileges, and potential damage. Generates risk reports with remediation guidance ranked by severity.

Provides a hardened, minimal agent runtime (MiniClaw) that enforces security policies at execution time. Implements a tool whitelist that only allows explicitly approved tools, path sanitization for file access, and an egress firewall that prevents unauthorized network requests. Acts as a secure alternative to standard agent setups, with hooks into the agent lifecycle to validate tool calls against a RuntimePolicy before execution.

Provides GitHub Action integration that runs AgentShield scans automatically on pull requests and commits. Supports baseline comparison to detect regressions (new vulnerabilities introduced), quality gates that fail builds if severity thresholds are exceeded, and watch mode that alerts on configuration changes. Integrates with GitHub's status checks and pull request reviews to block merges with critical vulnerabilities.

Automatically generates and applies fixes for detected vulnerabilities, including moving hardcoded secrets to environment variables, removing wildcard tool permissions, sanitizing hook code, and pinning MCP server versions. Provides an initialization mode that creates secure baseline configurations from scratch. Uses code transformation patterns to modify configuration files safely while preserving structure and comments.

Enables organizations to define custom security policies that extend AgentShield's built-in rules, enforcing organization-specific requirements (e.g., 'all MCP servers must be from approved registry', 'no external network access'). Generates compliance reports showing which agents meet organizational policies and which require remediation. Integrates with policy management systems to enforce policies across multiple agent projects.

Monitors the health of MCP servers and agent skills by tracking dependency versions, maintenance status, and security updates. Provides notifications when new versions are available, when dependencies become unmaintained, or when security patches are released. Maintains a skills registry that tracks which agents use which skills and enables impact analysis for updates.

Analyzes agent tool permission definitions to identify overly broad access patterns, including wildcard permissions (e.g., Bash(*)), missing deny lists for destructive operations, and privilege escalation vectors. Uses pattern matching on tool definitions to flag configurations where an agent could execute arbitrary shell commands or access sensitive files without restrictions.

Analyzes PreToolUse and SessionStart hooks for command injection vulnerabilities and data exfiltration patterns. Scans hook code for dangerous patterns (shell metacharacters, subprocess calls, network requests) and detects capability escalation attempts where hooks could bypass tool restrictions or leak system prompts. Uses AST-level or regex-based pattern matching to identify risky hook implementations.

Analyzes MCP server configurations to identify supply chain vulnerabilities including unpinned versions, npx auto-installs, and risky server sources. Cross-references servers against a threat intelligence database (CVE database) to flag known vulnerable versions. Detects dynamic server loading patterns that could allow injection of malicious servers and validates server source authenticity.

Detects prompt injection vulnerabilities and capability escalation attacks in agent prompts, including 'Russian Doll' multi-chain injection vectors where an attacker chains multiple prompts to bypass restrictions. Analyzes prompt definitions for patterns that could allow an attacker to override system instructions, escalate tool access, or manipulate agent behavior. Uses pattern matching and semantic analysis to identify risky prompt structures.

Activates an advanced security analysis mode using Claude 3.5 Opus in a three-agent pipeline (Attacker/Defender/Auditor) to simulate real-world exploits against agent configurations. The Attacker agent generates adversarial prompts and attack scenarios, the Defender agent proposes mitigations, and the Auditor agent validates findings. This goes beyond static rules to discover novel vulnerabilities through adversarial reasoning.

Performs data flow analysis to track how sensitive data (system prompts, API keys, user inputs) flows through agent configurations, hooks, and tool calls. Identifies potential exfiltration paths where sensitive data could leak to external systems (network requests, logs, tool outputs). Uses taint propagation to mark sensitive sources and detect when tainted data reaches dangerous sinks.

Generates adversarial prompts designed to exploit detected vulnerabilities and simulates their execution against the agent configuration without actually running them. Tests injection vectors including prompt override, tool escalation, and data exfiltration. Uses Claude 3.5 Opus to generate realistic attack prompts and validates whether the agent's security controls would prevent exploitation.

Executes agent configurations in an isolated sandbox environment and monitors their runtime behavior for security violations. Tracks system calls, network requests, file access, and tool invocations to detect whether the agent violates its declared permissions or exhibits suspicious behavior. Compares actual behavior against the declared security policy to identify policy violations.