AgentShield

Identity & access security for non-human identities (NHIs).

Enterprises have 10–50x more machine identities than human ones — service accounts, API keys, OIDC tokens, and now AI agents. Most are over-permissioned, unaudited, and invisible to traditional IAM tools.

AgentShield is an open-source scanner that finds risky non-human identities across your stack. We're starting where the pain is newest and sharpest: AI agents and MCP configurations. Service accounts, CI/CD credentials, and cloud workload identities are on the roadmap.

Quick start

npx agentshield scan ~/.claude/claude_desktop_config.json

What it scans today

• MCP server configurations (Claude Desktop, Cursor, etc.)
• AI agent IAM policies and tool permissions

Roadmap

• GitHub Actions secrets and OIDC trust policies
• AWS / Azure service accounts and workload identities
• CI/CD pipeline credentials

---

Quick Start

# Install
npm install -g agentshield

# Scan your MCP configs (auto-detects config locations)
agentshield scan

# Scan a specific file
agentshield scan ~/.claude/claude_desktop_config.json

# See all available rules
agentshield rules

What It Catches

Rule	Severity	Description
MCP-001	🔴 Critical	Hardcoded secrets in environment variables
MCP-002	🟠 High	Overprivileged filesystem access
MCP-003	🟠 High	Unrestricted shell execution
MCP-004	🔵 Medium	No transport security (HTTP without auth)
MCP-005	🟠 High	Known vulnerable MCP packages (CVE database)
MCP-006	🔵 Medium	Excessive tool permissions
MCP-007	🟠 High	Data exfiltration risk (read + network combo)
MCP-008	🔵 Medium	Unversioned package references (supply chain)
MCP-009	🔵 Medium	Localhost-only exposure violation (0.0.0.0)
MCP-010	⚪ Low	Missing resource boundaries / no allowlists

Why AgentShield?

AI agents are the fastest-growing attack surface in enterprise security. OWASP released a Top 10 for Agentic Applications in 2026. Gartner projects 40% of enterprise applications will embed AI agents by 2026.

But nobody is scanning agent configurations for security issues. Until now.

Common vulnerabilities AgentShield prevents:

• Prompt injection → data exfiltration: Agent reads your SSH keys via filesystem access and sends them via the HTTP fetch server
• Supply chain attacks: Unpinned npx packages can be hijacked between runs
• Credential theft: API keys hardcoded in config files read by anyone with file access
• Network exposure: MCP servers bound to 0.0.0.0 accessible from the entire LAN
• Shell compromise: Direct bash/sh commands grant complete system access to any agent

Example Output

┌──────────┬──────────┬─────────────────────┬────────────────────────────────────────────┐
│ Severity │ Rule     │ Server              │ Issue                                      │
├──────────┼──────────┼─────────────────────┼────────────────────────────────────────────┤
│ 🔴 CRITICAL │ mcp-001  │ filesystem          │ Env var "OPENAI_API_KEY" contains a secret │
│ 🟠 HIGH    │ mcp-003  │ shell-access        │ Server uses "bash" — unrestricted shell    │
│ 🔵 MEDIUM  │ mcp-004  │ http-server         │ Unencrypted HTTP transport                 │
└──────────┴──────────┴─────────────────────┴────────────────────────────────────────────┘

AgentShield found 3 issues (1 critical, 1 high, 1 medium)
Overall Risk Score: 8.2/10

CI/CD Integration

# GitHub Actions
- name: AgentShield Security Scan
  run: npx agentshield scan --ci --severity high
  # Exits with code 1 if any critical or high issues are found

# JSON output for pipeline integration
agentshield scan --format json | jq '.summary.critical'

AI-Powered Deep Scan

In addition to static rule-based scanning, AgentShield can use Claude to perform a contextual security analysis:

export ANTHROPIC_API_KEY=your-key
agentshield scan --deep

The deep scan:

• Analyzes attack scenarios specific to your server combination
• Identifies chained attack paths (e.g., filesystem + fetch = exfiltration)
• Provides actionable remediation suggestions
• Results are cached by config hash to avoid redundant API calls

Auto-Detection

AgentShield automatically scans these locations when no path is specified:

• ~/.claude/claude_desktop_config.json (Claude Desktop)
• ./.mcp.json (project-level)
• ./mcp.json (project-level)
• ./.claude/config.json (project-level)

Generate Secure Template

agentshield init

Creates a .mcp.json with security best practices pre-applied: versioned packages, scoped filesystem paths, and commented security guidelines.

Security Best Practices

1. Never hardcode secrets — Use export KEY=value or a secrets manager
2. Pin package versions — npx @org/pkg@1.2.3 not npx @org/pkg
3. Scope filesystem paths — /path/to/project not / or ~
4. Use HTTPS — For any SSE/network transport
5. Add allowlists — Declare which tools/resources each server can access
6. Avoid shell servers — Use purpose-built MCP servers instead of bash/sh
7. Separate concerns — Don't give the same agent both data read and network write access

Contributing

# Setup
git clone https://github.com/yourusername/agentshield
cd agentshield
pnpm install

# Development
pnpm dev

# Tests
pnpm test

# Add a new rule: see CLAUDE.md for instructions

All new rules must have:

• Detection logic with no false positives on the valid-clean.json fixture
• At least 5 test cases covering positive, negative, and edge cases
• A human-readable fix suggestion with actionable steps

License

MIT — see LICENSE