agent-scan

Snyk Agent Scan is a security scanning tool that inventories agent components on your machine, including MCP servers, skills, and other agent tools, and analyzes them for common threats such as prompt injections, malware payloads, and data handling issues. The utility auto-discovers MCP configurations and can scan entire machines or specific configurations and skills. You can run a full machine scan to discover MCP servers, skills, and related resources, or target particular configuration files or skills for analysis. The tool supports a range of capabilities, including scanning known agents like Claude, Cursor, Windsurf, and Gemini CLI, and reporting results in JSON or human-friendly formats. You can also inspect tools and prompts without verification using the inspect command. To enable scanning, obtain an API token for the Snyk service and run the scanner with appropriate flags (e.g., --skills to analyze skills).

When using Agent Scan, you can run a default scan that auto-discovers MCP configurations and analyzes discovered components. If you want to focus on specific assets, you can point the scanner at a configuration file (mcp.json) or provide paths to skill descriptions. The CLI supports options to adjust timeouts, suppress IO during MCP server runs, and control the level of detail in toxic-flow reporting. The resulting findings help you assess risk across your MCP ecosystem and agent supply chain.

Prerequisites:

• Python 3.8+ (recommended) and pip
• Access to install packages from PyPI
• Optional: uv (for running MCP servers) if you plan to use MCP configurations that rely on uv

Install steps:

1. Install uv (Python-based tool launcher) if you don’t have it:
   • On macOS/Linux: curl -L https://get.vux.dev/uv.sh | bash
   • Or follow the official uv installation guide at https://docs.astral.sh/uv/getting-started/installation/
2. Install Snyk Agent Scan from PyPI:
   • pip install snyk-agent-scan
3. Verify installation:
   • snyk-agent-scan --help
4. (Optional) Install additional agents or tools that you plan to scan (e.g., specific MCP server runtimes) as needed for your environment.

Tips and notes:

• Set the SNYK_TOKEN environment variable to authenticate with Snyk services when performing scans that report results back to Snyk Evo or cloud endpoints.
• Use --skills to autodetect and analyze agent skills in addition to MCP servers.
• You can scan specific MCP configuration files by passing their paths to the snyk-agent-scan command, e.g., snyk-agent-scan ~/.vscode/mcp.json
• The CLI provides options like --server-timeout, --storage-file, and --json to tailor output and behavior. Use --print-errors for verbose error traces during debugging.
• For demonstrations, Agent Scan includes a vulnerable MCP server example. When using it, ensure you point the mcp.json configuration (or the embedded example) to the correct server script path and, if necessary, adjust the uv runtime command to match your environment.
• If you encounter permission or path issues with MCP server execution, ensure your environment installs and references the correct Python or Node runtimes and that the working directory contains the referenced paths (e.g., demoserver/server.py).