# agent-audit — Security Linter for LLM Agents > Run a static security scanner for LLM agents: 53 OWASP Agentic Top 10 rules, prompt-injection checks, and MCP config auditing via agent-audit scan. ## Install Copy the content below into your project: ## Quick Use ```bash pip install agent-audit agent-audit scan ./your-agent-project # Review findings and map them to OWASP categories (README links). ``` ## Intro Run a static security scanner for LLM agents: 53 OWASP Agentic Top 10 rules, prompt-injection checks, and MCP config auditing via agent-audit scan. **Best for:** Agent builders who need evidence-backed findings before shipping tools to production **Works with:** Python agent projects (README mentions LangChain, CrewAI, AutoGen) and local repos to scan **Setup time:** 5-15 minutes ### Key facts (verified) - GitHub: 170 stars · 18 forks · pushed 2026-04-18. - License: MIT · owner avatar + repo URL verified via GitHub API. - README-backed entrypoint: `agent-audit scan ./your-agent-project`. ## Main - Treat it like security lint: run locally and in CI to keep baselines consistent across branches and releases. - Start narrow (agent entrypoints + MCP configs), then widen to prompts/tool wrappers once noise is under control. - Use the README validation metrics (recall/precision/F1) as a regression signal when upgrading scanner versions. ### Source-backed notes - README describes 53 detection rules mapped to the OWASP Agentic Top 10 (2026). - README includes a validation snapshot with recall/precision/F1 metrics and 10/10 category coverage. - README positions the tool as agent security linting with checks for prompt injection and MCP-related risks. ### FAQ - **Does it require internet access?**: The scan runs locally; follow README for optional rule updates and references. - **Will it produce false positives?**: Yes, like any lint tool. Start narrow and tune scope based on your repo and risk model. - **Is it only for Python agents?**: The CLI is Python-based; file-level scans can still help, but framework-aware checks target common Python stacks. ## Source & Thanks > Source: https://github.com/HeadyZhang/agent-audit > License: MIT > GitHub stars: 170 · forks: 18 --- ## Quick Use ```bash pip install agent-audit agent-audit scan ./your-agent-project # Review findings and map them to OWASP categories (README links). ``` ## Intro 使用 agent-audit 对 LLM agent 做静态安全扫描:包含 53 条 OWASP Agentic Top 10 规则、提示词注入检查与 MCP 配置审计,并给出可复现的发现清单。 **Best for:** 希望在上线前拿到“可复现证据”的 agent 开发者与安全团队 **Works with:** 实现 agent 的 Python 项目(README 提到 LangChain/CrewAI/AutoGen)以及可扫描的本地代码库 **Setup time:** 5-15 minutes ### Key facts (verified) - GitHub:170 stars · 18 forks;最近更新 2026-04-18。 - 许可证:MIT;作者头像与仓库链接均已通过 GitHub API 复核。 - README 中可对照的入口:`agent-audit scan ./your-agent-project`。 ## Main - 把它当作安全 lint:本地开发跑一遍,合并/发布前在 CI 再跑一遍,建立一致基线。 - 先收敛范围(agent 入口 + MCP 配置),再扩展到 prompts/工具封装,降低噪声。 - 用 README 的 recall/precision/F1 验证指标做回归信号,升级版本时可对比前后变化。 ### Source-backed notes - README 描述:共有 53 条检测规则,映射到 OWASP Agentic Top 10(2026)。 - README 给出验证快照:包含 recall/precision/F1 等指标,并覆盖 10/10 类别。 - README 将其定位为 agent 安全 lint,覆盖提示词注入与 MCP 相关风险检查。 ### FAQ - **需要联网才能跑吗?**:核心扫描是本地运行;可选规则更新与参考链接请按 README 使用。 - **会不会有误报?**:会。像 lint 一样先从小范围开始,再逐步调优范围与流程。 - **只适用于 Python agent 吗?**:CLI 基于 Python;即使是其它语言也能做文件级扫描,但框架特定检测更偏向常见 Python 栈。 ## Source & Thanks > Source: https://github.com/HeadyZhang/agent-audit > License: MIT > GitHub stars: 170 · forks: 18 --- Source: https://tokrepo.com/en/workflows/agent-audit-security-linter-for-llm-agents Author: Agent Toolkit