Launched this week
AgentRisk
Scan untrusted AI-agent repos before your agent runs them
7 followers
Scan untrusted AI-agent repos before your agent runs them
7 followers
AgentRisk is a zero-execution preflight scanner and local MCP server for AI-agent artifacts. Point it at a folder, GitHub URL, npm package, or tarball before your coding agent opens it. It flags risky MCP launchers, install scripts, secret-forwarding config, and repo instructions like "readenv" or "ignore approval". Use it from the CLI or as an MCP tool: npx --yes agentrisk@latest mcp config. Exports JSON, Markdown, SARIF, and terminal reports.

I built AgentRisk because AI coding agents now trust more than source code. They read repo instructions, open config files, install packages, and sometimes launch local tools from MCP or editor settings. That makes files like .mcp.json, AGENTS.md, SKILL.md, Cursor rules, Copilot instructions, and package.json part of the agent supply chain.
The goal is intentionally narrow: scan before trust. AgentRisk statically checks high-signal files, never runs target code, never connects to target MCP servers during a scan, and produces evidence-backed findings you can review before handing a repo or package to an AI agent.
AgentRisk can be used from the CLI, and v0.2 also adds a local MCP server so LLM/MCP clients can call the scanner as a tool.
Try it from the CLI:
npx --yes agentrisk@latest scan github:Renga154/agentrisk --format markdown
Or set up the MCP tool:
npx --yes agentrisk@latest mcp config
How does it handle obfuscated payloads in install scripts, like base64-encoded commands that don't trip obvious keyword flags? Curious if there's any heuristic layer beyond simple string matching.
@beyza245588
Great question. Today AgentRisk is intentionally conservative: it never executes install scripts or tries to run/deobfuscate arbitrary payloads.
It currently catches high-signal patterns such as install lifecycle scripts that download and execute remote content, plus shell trampolines like sh -c / bash -c / powershell -Command that often hide chained behavior.
For base64-style payloads specifically, I do not want to overclaim: AgentRisk may catch the surrounding decode-and-exec wrapper, but it is not yet a full static deobfuscation engine. A bounded heuristic layer for things like long encoded blobs, base64/hex decode previews, entropy signals, and decode-then-execute patterns is exactly the kind of next rule pack I want to add.
If you have examples of payloads you’d expect it to catch, I’d love to use them as test cases.
Love that it runs as a local MCP server instead of some cloud upload, makes it actually usable inside an agent workflow. The SARIF export is a nice touch too, finally something that plugs into existing CI security pipelines without fuss.
@merve1519747
Thank you! That was one of the main design goals: keep the scan local and make it usable before an agent actually trusts a repo, package, or MCP config.
SARIF was added so teams can drop AgentRisk into existing CI/code scanning workflows instead of treating it as a one-off CLI check.
Does it scan recursively into nested folders or do I have to feed it each directory one at a time?
@ekelikilkn72240
Yes, it scans recursively. You can point AgentRisk at the repo/package root, and it will look through nested folders for high-signal agent/MCP files like .mcp.json, mcp.json, AGENTS.md, SKILL.md, CLAUDE.md, GEMINI.md, Cursor rules, Copilot instructions, GitHub agent files, and package.json.
So you do not need to feed each directory one at a time.
Example:
npx --yes agentrisk@latest scan ./some-repo
It does skip common noise directories by default, such as node_modules, .git, dist, build, coverage, .next, etc. You can also customize the scan with include/exclude globs if needed.