# Aguara — Security Scanner for MCP & Skills > Offline scanner for agent skills and MCP servers. Detect prompt injection and exfiltration; outputs JSON/SARIF and supports CI thresholds. ## Install Save the content below to `.claude/skills/` or append to your `CLAUDE.md`: ## Quick Use ```bash # Homebrew (macOS/Linux) brew install garagon/tap/aguara # Scan a repo or MCP server directory aguara scan . # CI-style: only fail on high severity, emit JSON aguara scan . --severity high --format json ``` ## Intro Aguara is an offline security scanner that inspects agent skills and MCP servers before you run them, helping catch prompt injection and credential exfiltration patterns early. **Best for:** Teams deploying MCP servers, skill marketplaces, and CI policy gates for tool safety **Works with:** macOS/Linux; Go install or Homebrew; can run in Docker for hermetic scans **Setup time:** 5–15 minutes ### Key facts (verified) - README highlights 189 detection rules across 14 categories and an aggregate 0–100 risk score. - Supports JSON and SARIF outputs plus CLI thresholds like `--severity` / `--fail-on` (README). - GitHub: 76 stars · 15 forks; pushed 2026-05-13 (GitHub API verified). ## Main Use Aguara as a preflight step for any “tooling you didn’t author”: 1) Scan new MCP servers before adding them to `.mcp.json` or deploying to shared environments. 2) Scan skill repos before publishing to a registry, and fail CI on high-severity findings. 3) Keep a baseline JSON report per version so reviews can diff risk changes over time. ### README excerpt (verbatim)

Aguara

Security scanner for AI agent skills and MCP servers.
Detect prompt injection, data exfiltration, and supply-chain attacks before they reach production.

CI Go Report Card Go Reference GitHub Release License GitHub Stars Docker Homebrew

InstallationQuick StartHow It WorksUsageRulesIncident ResponseAguara MCPAguara WatchContributing

https://github.com/user-attachments/assets/851333be-048f-48fa-aaf3-f8cc1d4aa594 ## Why Aguara? AI agents and MCP servers run code on your behalf. A single malicious skill file can exfiltrate credentials, inject prompts, or install backdoors. Aguara catches these threats **before deployment** with static analysis that requires no API keys, no cloud, and no LLM. - **189 detection rules across 14 categories** — prompt injection, data exfiltration, credential leaks, supply-chain attacks, MCP-specific threats, command execution, SSRF, unicode attacks, and more. ### FAQ **Q: Does Aguara require an LLM or API keys?** A: README states the analysis is offline and deterministic, so it does not require API keys or a cloud service. **Q: How do I use it in CI?** A: Run `aguara scan` and fail on a chosen threshold (e.g., `--severity high`) while exporting JSON/SARIF artifacts. **Q: What should I scan?** A: Scan skill markdown/YAML/JSON plus MCP server directories so Aguara can detect cross-file risky flows. ## Source & Thanks > Source: https://github.com/garagon/aguara > License: Apache-2.0 > GitHub stars: 76 · forks: 15 --- ## 快速使用 ```bash # Homebrew(macOS/Linux) brew install garagon/tap/aguara # 扫描一个仓库或 MCP server 目录 aguara scan . # CI 用法:只对 high 严重级别失败,并输出 JSON aguara scan . --severity high --format json ``` ## 简介 Aguara 是一个离线安全扫描器:在你运行 agent skills / MCP servers 之前先做静态检查,尽早发现提示注入与凭据外传等风险模式。 **最适合:** 要部署 MCP server、维护 skill 市场/仓库、或在 CI 加入安全门禁的团队 **适配:** macOS/Linux;支持 Go 安装或 Homebrew;也可用 Docker 做一致性扫描 **配置时间:** 5–15 分钟 ### 关键事实(已验证) - README 提到覆盖 14 类、共 189 条检测规则,并输出 0–100 的风险分数。 - 支持 JSON/SARIF 输出,并提供 `--severity`/`--fail-on` 等 CI 阈值控制(README)。 - GitHub:76 stars · 15 forks;最近更新 2026-05-13(GitHub API 验证)。 ## 正文 把 Aguara 当成“运行第三方工具前的体检”: 1) 新增 MCP server(写入 `.mcp.json` 或上线共享环境)前先扫描一遍。 2) 发布 skill 到 registry 前在 CI 扫描,并对高危项直接失败。 3) 为每个版本保留一份 JSON 基线报告,后续升级时做风险 diff 更直观。 ### README 原文节选(verbatim)

Aguara

Security scanner for AI agent skills and MCP servers.
Detect prompt injection, data exfiltration, and supply-chain attacks before they reach production.

CI Go Report Card Go Reference GitHub Release License GitHub Stars Docker Homebrew

InstallationQuick StartHow It WorksUsageRulesIncident ResponseAguara MCPAguara WatchContributing

https://github.com/user-attachments/assets/851333be-048f-48fa-aaf3-f8cc1d4aa594 ## Why Aguara? AI agents and MCP servers run code on your behalf. A single malicious skill file can exfiltrate credentials, inject prompts, or install backdoors. Aguara catches these threats **before deployment** with static analysis that requires no API keys, no cloud, and no LLM. - **189 detection rules across 14 categories** — prompt injection, data exfiltration, credential leaks, supply-chain attacks, MCP-specific threats, command execution, SSRF, unicode attacks, and more. ### FAQ **Aguara 需要调用模型或 API key 吗?** 答:README 强调离线、可复现的静态分析,因此不依赖云服务或 API key。 **怎么放到 CI 里?** 答:用 `aguara scan` 扫描并按阈值失败(如 `--severity high`),同时保存 JSON/SARIF 产物。 **应该扫描哪些内容?** 答:优先扫描 skills 的 Markdown/YAML/JSON 以及 MCP server 目录,便于发现跨文件组合造成的风险链路。 ## 来源与感谢 > Source: https://github.com/garagon/aguara > License: Apache-2.0 > GitHub stars: 76 · forks: 15 --- Source: https://tokrepo.com/en/workflows/aguara-security-scanner-for-mcp-skills Author: Script Depot