MCP ConfigsMay 13, 2026·2 min read

Inkog — Pre-Flight Security Scan for Agent Code

Inkog scans AI agent code for prompt-injection sinks, token-bombing loops, and governance gaps, and can run via CLI, GitHub Actions, or MCP.

Agent ready

Safe staging for this asset

This asset is staged first. The copied prompt tells the agent to inspect the staged files and ask before activating scripts, MCP config, or global config.

Stage only · 17/100Policy: stage
Agent surface
Any MCP/CLI agent
Kind
Mcp Config
Install
Stage only
Trust
Trust: Established
Entrypoint
Asset
Safe staging command
npx -y tokrepo@latest install 998123d9-c410-51fd-a7a4-3358288f8bd3 --target codex

Stages files first; activation requires review of the staged README and plan.

Intro

Inkog scans AI agent code for prompt-injection sinks, token-bombing loops, and governance gaps, and can run via CLI, GitHub Actions, or MCP.

Best for: shipping agent code and wanting guardrails before production

Works with: Node (npx), Go install, GitHub Actions, MCP-capable clients

Setup time: 5-12 minutes

Key facts (verified)

  • GitHub: 28 stars · 7 forks · pushed 2026-05-12.
  • License: Apache-2.0 · owner avatar + repo URL verified via GitHub API.
  • README-verified entrypoint: npx -y @inkog-io/cli scan ..

Main

  • Use the no-install path (npx -y @inkog-io/cli scan .) to get a fast baseline scan before you wire it into CI.

  • When you want PR visibility, use the README’s GitHub Actions example (SARIF upload) so findings surface in the Security tab.

  • If you run agent tooling inside editors, start the MCP server via npx -y @inkog-io/mcp as shown in the README.

Source-backed notes

  • README lists a quick start with npx -y @inkog-io/cli scan . and shows export INKOG_API_KEY=... then inkog ..
  • README includes a GitHub Actions snippet using inkog-io/inkog@v1 with SARIF upload enabled.
  • README states it scanned 500+ open-source agents and reports summary stats (percentages and finding counts) in the project report section.

FAQ

  • Can I use it without installing?: Yes — README shows an npx -y @inkog-io/cli scan path.
  • Does it work in CI?: Yes — README includes a GitHub Actions example and SARIF upload support.
  • How do I use it from an agent tool?: README shows starting an MCP server via npx -y @inkog-io/mcp.
🙏

Source & Thanks

Source: https://github.com/inkog-io/inkog > License: Apache-2.0 > GitHub stars: 28 · forks: 7

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets