Skip to content

FreeGuy21-code/Agent-Warden

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
agentwarden.egg-info
agentwarden.egg-info
 
 
agentwarden
agentwarden
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 
report.html
report.html
 
 

Repository files navigation

AgentWarden 🛡️

Security scanner for MCP (Model Context Protocol) servers.

AgentWarden scans MCP servers for real, documented vulnerabilities — the same classes of issues that have already compromised production deployments.

agentwarden scan https://your-mcp-server.com
agentwarden scan https://your-mcp-server.com -o report.html

Why this exists

In 2026, MCP became the standard protocol for connecting AI agents to tools, databases, and APIs. With that came a new attack surface:

  • 36.7% of 7,000+ live MCP servers were found vulnerable to SSRF (BlueRock Security, 2026)
  • 492 servers had zero authentication and zero encryption (Trend Micro, 2026)
  • Cursor, VS Code, Claude Code, and Gemini-CLI are all vulnerable to MCP-based prompt injection
  • CVE-2025-68143, 68144, 68145 — Anthropic's own MCP servers had published CVEs

AgentWarden is the open-source tool that should have existed before any of this happened.

What it checks

Check Severity Description
AUTH-001 CRITICAL Unauthenticated MCP endpoints
AUTH-002 CRITICAL JSON-RPC accessible without auth
AUTH-003 HIGH Admin/debug panels exposed
SSRF-001 HIGH URL parameters fetched server-side
SSRF-002 CRITICAL SSRF via MCP tool invocation
INJECT-001 CRITICAL Prompt injection in tool descriptions
INJECT-002 HIGH Injection payload reflection
INJECT-004 CRITICAL Unauthenticated tool registration
PERM-001 CRITICAL Shell/exec capabilities exposed
PERM-004 HIGH Full CRUD+exec without scope separation
TLS-001 CRITICAL Server running over HTTP
TLS-002 HIGH Weak TLS versions (1.0/1.1)
TLS-003 HIGH Invalid/self-signed certificate
HEADER-003 HIGH Dangerous CORS misconfiguration
INFO-010 CRITICAL Sensitive config files exposed
INFO-STACK-001 MEDIUM Stack traces in error responses

Install

pip install agentwarden

Or from source:

git clone https://github.com/your-username/agentwarden
cd agentwarden
pip install -e .

Usage

Scan a single server

# Basic scan
agentwarden scan https://mcp.example.com

# Save HTML report
agentwarden scan https://mcp.example.com -o report.html

# Save JSON report
agentwarden scan https://mcp.example.com -o report.json

# Verbose output
agentwarden scan https://mcp.example.com -v

Scan from a local config file

# Supports Claude Desktop config format
agentwarden scan ~/.config/claude/claude_desktop_config.json

# Supports VSCode MCP settings
agentwarden scan ./.vscode/mcp.json

Batch scanning

# Create a list of targets
cat targets.txt
https://mcp-server-1.example.com
https://mcp-server-2.example.com
https://mcp-server-3.example.com

# Scan all
agentwarden batch targets.txt -d ./reports/

Output

Terminal:

[CRITICAL] Unauthenticated MCP endpoints accessible
  Check: AUTH-001
  Description: Found 3 MCP endpoint(s) accessible without any authentication...
  Evidence: /tools (200), /resources (200), /mcp (200)
  Fix: Implement OAuth 2.0 with PKCE for all MCP endpoints...

[HIGH] MCP server running over HTTP (unencrypted)
  Check: TLS-001
  ...

HTML report: Full report with severity summary, color-coded findings, and remediation steps.

JSON report: Machine-readable output for CI/CD integration.

CI/CD Integration

AgentWarden exits with code 1 if any CRITICAL or HIGH findings are found, making it easy to use in pipelines:

# GitHub Actions example
- name: Scan MCP server
  run: |
    pip install agentwarden
    agentwarden scan ${{ secrets.MCP_SERVER_URL }} -o report.html
  continue-on-error: false

Architecture

Each check is an independent scanner module in agentwarden/scanners/:

  • auth.py — Authentication checks
  • ssrf.py — SSRF vulnerability detection
  • prompt_injection.py — Prompt injection surface detection
  • tool_permissions.py — Over-privilege detection
  • tls.py — TLS/certificate checks
  • headers.py — Security header checks
  • info_disclosure.py — Credential/data exposure checks

Adding a new check:

# agentwarden/scanners/my_check.py
from .base import BaseScanner

class MyScanner(BaseScanner):
    name = "My Check"
    
    async def run(self):
        findings = []
        resp, body = await self.get("/some-endpoint")
        if resp and "dangerous_thing" in body:
            findings.append(self.finding(
                check_id="MY-001",
                title="Dangerous thing found",
                description="...",
                severity="HIGH",
                remediation="..."
            ))
        return findings

Then register it in scanner.py.

Contributing

Issues and PRs welcome. Especially:

  • New MCP vulnerability classes
  • Real-world CVE reproductions
  • False positive reports
  • New output formats

License

MIT

References

About

Open-source security scanner for MCP servers — finds auth issues, SSRF, prompt injection, and more before attackers do.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages