aguara

Aguara MCP is a security advisor for AI agents. It runs locally as an MCP server that analyzes tools, skills, and MCP configurations for security threats before they are installed or executed. The server exposes several capabilities you can leverage from your agent or MCP client: scan_content to inspect arbitrary text for security issues, check_mcp_config to validate an MCP server configuration, discover_mcp to locate and enumerate local MCP server definitions, and explain_rule / list_rules to understand the threat rules Aguara uses. With these tools, your agent can perform in-process security checks without network calls or external dependencies, ensuring threat detection happens milliseconds after parsing content.

To use Aguara MCP, add the server definition to your MCP client or agent configuration (example shown for Claude Desktop). Once registered, you can invoke scan_content on untrusted skill descriptions or readmes, run check_mcp_config on your MCP server settings, or run discover_mcp to confirm what is installed locally. The result is a structured security report that highlights potential issues such as prompt injection risks, data exfiltration, or unsafe dependencies, enabling the agent to decide whether to proceed with installation or execution.

Prerequisites:

• Go 1.20+ (or newer) installed on your machine
• A working Go environment (GOPATH or Go modules)
• Internet access to fetch the Aguara MCP binary

Installation methods:

1. Quick install (recommended):

curl -fsSL https://raw.githubusercontent.com/garagon/aguara-mcp/main/install.sh | sh

This script builds and installs the aguara-mcp binary into your PATH (commonly ~/.local/bin or /usr/local/bin).

2. Go install (manual):

go install github.com/garagon/aguara-mcp@latest

This places the aguara-mcp binary in your Go bin directory (e.g., $GOPATH/bin). Ensure that directory is in your PATH.

3. Verify installation:

aguara-mcp --version

Configuration:

• After installation, ensure your PATH contains the directory with aguara-mcp so your MCP client can invoke it as aguara-mcp.
• Add the server to your MCP client configuration as shown in the README example (Claude Desktop, Cursor, Windsurf, etc.).

Tips and common gotchas:

• Aguara MCP runs entirely locally with no external network access. It does not perform any LLM calls or remote analysis.
• The agent should register Aguara using the provided command (aguara-mcp) so it can call scan_content, check_mcp_config, list_rules, explain_rule, and discover_mcp.
• If you customize environment paths, ensure the executable is discoverable by your MCP client (update PATH or provide full path in the server definition).
• Regularly update Aguara MCP to incorporate new rules and threat coverage (the README notes 160+ rules across multiple categories; newer releases expand coverage).
• When using scan_content, you can filter results with min_severity or disable specific rules to tailor the analysis to your risk model.
• If you encounter permission errors on macOS/Linux, ensure the binary has execute permissions (chmod +x aguara-mcp) and that your shell can locate the binary.