# Agent Security Scanner MCP — Scan Repos for Risks

> Agent Security Scanner MCP provides tools to scan repos for risky patterns so agents flag issues before running code or touching secrets.

## Install

Merge the JSON below into your `.mcp.json`:

## Quick Use

1. Install / run:
   ```bash
   git clone https://github.com/sinewaveai/agent-security-scanner-mcp && cd agent-security-scanner-mcp
   ```
2. Start / smoke test:
   ```bash
   sed -n '1,260p' README.md
   ```
3. Verify:
   - Run one scan against a small repo and ensure the tool output is structured enough to feed into your agent’s decision gate.

## Intro

Agent Security Scanner MCP provides tools to scan repos for risky patterns so agents flag issues before running code or touching secrets.

- **Best for:** Teams running coding agents who want a lightweight ‘preflight’ scan before executing anything
- **Works with:** MCP clients + CI or local dev environments; use read-only scans before writes
- **Setup time:** 15 minutes

## Practical Notes

- Setup time ~15 minutes (install + run server + connect client)
- Gate condition: scan output must be machine-readable (JSON/structured fields) before you automate blocking
- GitHub stars + forks (verified): see Source & Thanks

If your agent can run code, you need a safety gate. A practical pattern is: scan → decide → run. Keep scan tools deterministic and read-only, and log every decision. Even a simple ‘risk score’ plus a few hard blocks can prevent the most common failures.

### FAQ

**Q: Does this replace a full security review?**
A: No. It’s a fast preflight. Use it to catch obvious risks before agent execution.

**Q: What should it block by default?**
A: Anything involving secrets, network exfil paths, or suspicious install scripts until reviewed.

**Q: Where should I run it?**
A: In CI or a sandboxed environment; keep it read-only against your source tree.

## Source & Thanks

> Source: https://github.com/sinewaveai/agent-security-scanner-mcp
> License: MIT
> GitHub stars: 100 · forks: 10

---

<!-- ZH -->

## 快速使用

1. 安装 / 运行：
   ```bash
   git clone https://github.com/sinewaveai/agent-security-scanner-mcp && cd agent-security-scanner-mcp
   ```
2. 启动 / 冒烟测试：
   ```bash
   sed -n '1,260p' README.md
   ```
3. 验证：
   - 对一个小仓库跑一次扫描，确认输出足够结构化，能接入你自己的“是否允许执行”的决策门禁。

## 简介

Agent Security Scanner MCP 提供一组扫描工具，帮助 agent 在执行代码或接触凭证前识别仓库里的高风险模式（如可疑依赖、潜在泄露点等），并在进入执行阶段前给出可复核的风险提示。

- **适合谁：** 使用 coding agent 的团队：希望在执行任何东西前先做一次轻量安全预检
- **可搭配：** 支持 MCP 的客户端 + CI/本地环境；写入前先跑只读扫描
- **准备时间：** 15 分钟

## 实战建议

- 上手约 15 分钟（安装 + 启动 server + 连接客户端）
- 门禁条件：先确保输出可机器读取（JSON/结构化字段），再自动化拦截
- GitHub stars + forks（已核验）：见「来源与感谢」

只要 agent 能执行代码，就必须有安全门禁。一个实用流程是：scan → decide → run。扫描工具要可重复、只读，并对每次决策做日志留存。哪怕只是“风险分数 + 几个硬拦规则”，也能避免最常见事故。

### FAQ

**能替代完整安全审计吗？**
A: 不能。它更像快速预检，用于在 agent 执行前先拦住明显风险。

**默认应该拦什么？**
A: 涉及凭证、外联/外传路径、可疑安装脚本的情况，先拦再审。

**适合在哪儿跑？**
A: CI 或沙箱环境；对源码树保持只读。

## 来源与感谢

> Source: https://github.com/sinewaveai/agent-security-scanner-mcp
> License: MIT
> GitHub stars: 100 · forks: 10


---
Source: https://tokrepo.com/en/workflows/agent-security-scanner-mcp-scan-repos-for-risks
Author: MCP Hub