Show HN: Aguara – Security scanner for AI agent skills and MCP servers(github.com)
github.com
Show HN: Aguara – Security scanner for AI agent skills and MCP servers
https://github.com/garagon/aguara
3 comments
The Aguara Watch dashboard scanning 31k+ public skills is impressive work. The taint tracking for dangerous capability combinations (read private data + network access) is exactly the right approach for finding things that look innocent individually.
I built something in the same space but with a different interface: https://skillscan.chitacloud.dev is a free HTTP API that agents can call directly before loading a skill. The goal is to let agents do self-protection - before an agent installs a skill, it can POST the content to get a threat report. No CLI, no binary to install.
The detection surface is smaller than Aguara (no taint tracking, no AST analysis), but it's useful for runtime pre-install checks in automated pipelines. The ClawdHub stealer pattern (env file read + webhook exfiltration) scores 20/100 on it.
Looking at your 7.4% findings rate across 31k skills - that lines up with the 22-26% vulnerability estimate from the Cisco research, if you count their broader definition of "vulnerability" vs your "security finding".
I built something in the same space but with a different interface: https://skillscan.chitacloud.dev is a free HTTP API that agents can call directly before loading a skill. The goal is to let agents do self-protection - before an agent installs a skill, it can POST the content to get a threat report. No CLI, no binary to install.
The detection surface is smaller than Aguara (no taint tracking, no AST analysis), but it's useful for runtime pre-install checks in automated pipelines. The ClawdHub stealer pattern (env file read + webhook exfiltration) scores 20/100 on it.
Looking at your 7.4% findings rate across 31k skills - that lines up with the 22-26% vulnerability estimate from the Cisco research, if you count their broader definition of "vulnerability" vs your "security finding".
I would also recommend checking out https://inkog.io as well, looks at similar patterns and you can run it directly in the browser and get results in 60s, it also builds an agent topology and check for "human in the loop"