AgentShield scans AI setups

A new security scanner called AgentShield is being used to inspect AI agent setups before they go live, flagging secrets, risky tool permissions, prompt injection paths, and Model Context Protocol server exposure. (github.com) AgentShield is published as an open-source project on GitHub and distributed as a command-line tool, a GitHub Action, and a GitHub App. Its GitHub Marketplace listing says it scans Claude Code configurations for hardcoded secrets, permission misconfigurations, hook injection, Model Context Protocol, or MCP, server risks, and agent prompt injection vectors. (github.com, github.com) The tool prints a graded report, from A to F, with category scores for areas including secrets, permissions, hooks, MCP servers, and agents. In the sample report on its Marketplace page, AgentShield assigned an F, a score of 0 out of 100, and listed 73 findings, including 19 marked critical. (github.com) MCP is the plumbing that lets an artificial intelligence assistant call outside tools, databases, and files instead of answering from its model alone. Anthropic introduced MCP in November 2024 as an open standard for connecting assistants to business tools, repositories, and development environments. (anthropic.com, modelcontextprotocol.io) That plumbing creates a new attack surface when tool descriptions, retrieved documents, or server responses contain hidden instructions. Microsoft said in an April 28, 2025 post that indirect prompt injection in MCP can push a model into unintended tool calls or data exfiltration, including a form of attack known as tool poisoning. (developer.microsoft.com) AgentShield’s pitch is that those checks can run before deployment instead of after an incident. Its Marketplace page says the scanner can emit JSON for continuous integration pipelines, HTML reports for review, and auto-fixes for some secret-handling issues by replacing hardcoded values with environment-variable references. (github.com) The timing lines up with a broader push to treat large language model security like ordinary software security. The Open Worldwide Application Security Project’s Top 10 for Large Language Model Applications lists prompt injection, sensitive information disclosure, supply-chain weaknesses, and improper output handling among the main risks developers now have to test for. (owasp.org) The scanner does not remove the need for runtime controls once an agent is in production. AgentShield’s own documentation focuses on configuration audits and pipeline integrations, while Microsoft’s MCP guidance recommends additional defenses such as validating tool metadata, isolating trust boundaries, and treating external content as untrusted input. (github.com, developer.microsoft.com) That leaves tools like AgentShield in the same role as a code linter or dependency scanner: useful for catching obvious problems early, but only if teams wire the checks into build systems and keep watching what their agents do after release. (github.com, owasp.org)