Firmis Scanner

The security layer for AI agents

Security scanner for AI agents. Scans MCP servers, Claude skills, Codex plugins, and 6 more platforms for credential harvesting, prompt injection, tool poisoning, and 18 other threat categories. 260 detection rules. Zero config.

npx firmis-cli scan

---

The Problem

7.1% of AI agent skills exhibit malicious behavior. Our research found 341 malicious skills in a sample of 100 random installs, including:

• Credential harvesting (AWS keys, SSH keys, API tokens)
• Data exfiltration (sending files to external servers)
• Prompt injection (manipulating AI behavior)
• Privilege escalation (sudo, process injection)

Static analysis catches only ~30% of these threats. The rest manifest at runtime.

Quick Start

# Install globally
npm install -g firmis-cli

# Scan all detected AI platforms
firmis scan

# Scan specific platform
firmis scan --platform claude

# Output as JSON for CI/CD
firmis scan --json --output report.json

# Output as SARIF for GitHub Security
firmis scan --sarif --output results.sarif

Scan Any Agent Framework

Firmis works with any AI agent codebase - auto-detects the framework:

npx firmis scan ./my-crewai-project
npx firmis scan ./path/to/langchain-app
npx firmis scan ./any-agent-code

Auto-detected frameworks: LangChain, CrewAI, AutoGen, MetaGPT, AutoGPT, LangFlow, MCP Servers, n8n

No --platform flag needed. Firmis detects the framework from package.json, pyproject.toml, or requirements.txt and runs all 269 rules against it.

What is Firmis?

Firmis is a security scanner purpose-built for AI agents. It analyzes the code of MCP servers, Claude skills, Codex plugins, and other AI agent tools BEFORE you install them - detecting credential harvesting, data exfiltration, prompt injection, tool poisoning, and 21 total threat categories.

Who is it for? Developers using AI coding assistants (Claude Code, Cursor, Codex) who install MCP servers and agent skills. Security teams evaluating AI agent deployments. CI/CD pipelines that need to gate on security.

**How is it different from mcp-scan?** Firmis scans 9 platforms (not just MCP), has 260 rules (not just config checks), and includes runtime monitoring capabilities.

Features

Capability	Command	Tier
Scan for threats (260 rules, 21 categories)	firmis scan	Free
Discover AI agent platforms	firmis discover	Free
Generate Agent BOM (CycloneDX)	firmis bom	Free
CI/CD pipeline with fail gates	firmis ci	Free
HTML/JSON/SARIF reports	firmis scan --html	Free

Supported Platforms

Platform	Config Location	Support
Claude Code Skills	~/.claude/skills/	Full
MCP Servers	~/.config/mcp/, claude_desktop_config.json	Full
OpenAI Codex Plugins	~/.codex/plugins/	Full
Cursor Extensions	~/.cursor/extensions/	Full
CrewAI Agents	Project crew.yaml, agents.yaml	Full
AutoGPT Plugins	~/.autogpt/plugins/	Full
OpenClaw Skills	~/.openclaw/skills/, workspace skills/	Full
Nanobot Agents	nanobot.yaml, agents/*.md	Full
Supabase	supabase/migrations/, config.toml	Full

Supabase Security

Firmis auto-detects Supabase projects and scans for:

• Row Level Security: Tables without RLS, missing policies, overly permissive USING (true) clauses
• Storage Buckets: Public buckets, buckets without access policies
• API Keys: service_role key in client code, .env files in git, hardcoded credentials
• Auth Config: Email confirmation disabled, OTP expiry too long, missing SMTP
• Functions: SECURITY DEFINER functions that bypass RLS

# Scan Supabase project
firmis scan --platform supabase

# Example output
  Firmis Scanner v1.5.0

  Detecting platforms...
  ✓ Supabase: 8 migrations found

  THREAT DETECTED
     Platform: Supabase
     Component: supabase-project
     Risk: CRITICAL
     Category: access-control

     Evidence:
       - Table 'profiles' has RLS disabled
       - Policy 'allow_all' uses USING (true)

     Location: supabase/migrations/001_profiles.sql:12

Example Output

  Firmis Scanner v1.5.0

  Detecting platforms...
  ✓ Claude Skills: 47 skills found
  ✓ MCP Servers: 12 servers configured

  Scanning 59 total components...

  ⚠️  THREAT DETECTED
     Platform: Claude Skills
     Component: data-exporter-v2
     Risk: HIGH
     Category: credential-harvesting

     Evidence:
       - Reads ~/.aws/credentials
       - Sends to: api.suspicious-domain.com

     Location: skills/data-exporter-v2/index.js:47

  SCAN COMPLETE
    57 components passed
    2 threats detected (1 HIGH, 1 MEDIUM)

CLI Reference

firmis scan [path]

Scan for security threats.

Options:
  -p, --platform <name>   Scan specific platform (claude|mcp|codex|cursor|crewai|autogpt|openclaw|nanobot|supabase)
  -a, --all               Scan all detected platforms (default)
  -j, --json              Output as JSON
  --sarif                 Output as SARIF (GitHub Security)
  --html                  Output as HTML report
  -s, --severity <level>  Minimum severity to report (low|medium|high|critical)
  -o, --output <file>     Write report to file
  -v, --verbose           Verbose output
  --concurrency <n>       Number of parallel workers (default: 4)

firmis list

List detected AI platforms.

Options:
  -j, --json              Output as JSON

firmis validate <rules...>

Validate custom rule files.

Options:
  --strict                Enable strict validation

Threat Categories

Category	Severity	Description
credential-harvesting	HIGH-CRITICAL	Access to AWS, SSH, GCP, or other credentials
data-exfiltration	HIGH	Sending data to external servers
prompt-injection	MEDIUM-HIGH	Attempting to manipulate AI behavior
privilege-escalation	HIGH-CRITICAL	sudo, setuid, kernel modules
suspicious-behavior	LOW-MEDIUM	Obfuscation, anti-debugging, persistence
access-control	HIGH-CRITICAL	RLS misconfigurations, missing policies
insecure-config	MEDIUM-HIGH	Auth settings, OTP expiry, SMTP config

CI/CD Integration

GitHub Actions

name: Security Scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install Firmis
        run: npm install -g firmis-cli

      - name: Run Security Scan
        run: firmis scan --sarif --output results.sarif

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

Pre-commit Hook

#!/bin/bash
# .git/hooks/pre-commit

firmis scan --severity high
if [ $? -ne 0 ]; then
  echo "Security threats detected. Commit blocked."
  exit 1
fi

Custom Rules

Create custom YAML rules for organization-specific threats:

# my-rules/internal-api.yaml
rules:
  - id: internal-001
    name: Internal API Key Exposure
    description: Detects hardcoded internal API keys
    category: credential-harvesting
    severity: critical
    version: "1.0.0"
    enabled: true
    confidenceThreshold: 90

    patterns:
      - type: regex
        pattern: "INTERNAL_[A-Z]+_KEY"
        weight: 100
        description: Internal API key pattern

    remediation: |
      Use environment variables or a secrets manager.

Run with custom rules:

firmis scan --config firmis.config.yaml

# firmis.config.yaml
customRules:
  - ./my-rules/
severity: medium

Programmatic API

import { ScanEngine, RuleEngine } from 'firmis-cli'

const ruleEngine = new RuleEngine()
await ruleEngine.load()

const scanEngine = new ScanEngine(ruleEngine)
const result = await scanEngine.scan('./my-skills', {
  platforms: ['claude'],
  severity: 'medium',
})

console.log(`Found ${result.summary.threatsFound} threats`)

MCP Server

Firmis is available as an MCP server, allowing AI agents to scan code for security threats directly.

Claude Code / Claude Desktop

Add to your MCP settings:

{
  "mcpServers": {
    "firmis": {
      "command": "npx",
      "args": ["-y", "firmis-cli", "--mcp"]
    }
  }
}

Cursor

Add to .cursor/mcp.json:

{
  "mcpServers": {
    "firmis": {
      "command": "npx",
      "args": ["-y", "firmis-cli", "--mcp"]
    }
  }
}

Available MCP Tools

Tool	Description
firmis_scan	Scan a path for AI agent security threats
firmis_discover	Discover installed AI agent platforms
firmis_report	Generate an HTML security report

FAQ

What does Firmis detect? 269 detection rules across 26 threat categories. Covers credential extraction, tool poisoning, prompt injection, data exfiltration, supply chain attacks, privilege escalation, and more. Scans MCP servers, Claude Code, Cursor, Codex, CrewAI, AutoGPT, OpenClaw, Nanobot, and Supabase.

Is it free? Yes. The scanner is free, open-source (Apache-2.0), and requires no account. Run npx firmis-cli scan — unlimited scans, all 269 rules, HTML + JSON reports.

What is tool poisoning? Tool poisoning is when an MCP server embeds hidden instructions in tool descriptions to hijack your AI agent. Research shows a 72.8% attack success rate. Firmis detects known poisoning patterns, malicious tool definitions, and description/behavior mismatches.

How is Firmis different from mcp-scan? mcp-scan checks MCP server configs against a known-bad list. Firmis runs 269 static analysis rules across 9 platforms (not just MCP), generates compliance reports, and includes deep scan (AI-powered analysis) and runtime monitoring.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for guidelines.

# Clone the repository
git clone https://github.com/firmislabs/firmis-scanner.git
cd firmis-scanner

# Install dependencies
npm install

# Run tests
npm test

# Build
npm run build

# Run locally
npm run firmis -- scan

Performance

Metric	Target	Actual
50 skills scan	< 30s	~15s
Memory usage	< 256MB	~120MB
False positive rate	< 5%	~3%

Security

Found a security vulnerability? Please report it privately to security@firmislabs.com.

License

Apache License 2.0 - see LICENSE for details.

---

Built by Firmis Labs · Purpose-built security for the AI agent ecosystem