Hey HN,
I built Aguara because I kept seeing the same problem: AI agents and MCP servers
run code on your behalf, and nobody is checking what that code actually does before
it runs.
A single malicious skill file can exfiltrate your SSH keys, inject prompts to
override safety instructions, or curl-pipe-bash a backdoor. I wanted something
like Semgrep but specifically for the AI agent ecosystem.
Aguara is a Go binary that does static analysis on skill files (markdown,
YAML, JSON configs). It's offline, deterministic, no LLM, no API keys needed.
What it catches:
- Prompt injection (instruction overrides, jailbreaks, delimiter injection)
- Data exfiltration (webhook URLs, DNS tunneling, env var leaks)
- Credential leaks (OpenAI/AWS/GCP keys, private keys, DB connection strings)
- Supply-chain attacks (curl|bash, binary download+execute, unpinned npx)
- MCP-specific threats (tool injection, privileged docker, shell metacharacters)
- 138 rules across 15 categories total
It goes beyond regex — there's NLP-based markdown structure analysis (using
goldmark AST walking) to catch things like hidden instructions in HTML comments,
and taint tracking to detect dangerous capability combinations (e.g., a skill
that reads private data AND has network access).
I also built Aguara Watch (https://watch.aguarascan.com/) which continuously
scans 31,000+ public AI agent skills across 5 registries (skills.sh, ClawHub,
PulseMCP, mcp.so, LobeHub). The scan data is open — you can query any skill's
security report via a static JSON API.
Some numbers from scanning the entire public ecosystem:
- 31,330 skills scanned
- ~2,330 with security findings (7.4%)
- 448 critical findings (mostly curl|bash, hardcoded keys, jailbreak prompts)