Skill Detail
Snyk Agent Scan
Scan your AI agents, MCP servers, and skills for security vulnerabilities from the command line.
Security & VerificationMCP
Security & Verification
MCP
Security Reviewed
Security: Low
Tool match: agent-scan
โญ 2.5k GitHub stars
Apache-2.0 license
INSTALL WITH ANY AGENT
npx skills add agentskillexchange/skills --skill snyk-agent-scan
Works best when you want a reusable capability, not another fragile one-off prompt.
At a glance
Tools required
Python 3.10+, uv package manager, Snyk API token
Author
Snyk
Publisher
Company
Last updated
Apr 8, 2026
Quick brief
Snyk Agent Scan (formerly Invariant Labs MCP-Scan) is a command-line security scanner purpose-built for the AI agent supply chain. It auto-discovers agent configurations for Claude Code, Claude Desktop, Cursor, Windsurf, Gemini CLI, and other MCP-compatible platforms, then runs a comprehensive vulnerability assessment against every discovered component.
How it works
What this skill actually does
Best for
- Auditing installed MCP servers and agent skills before trusting them
- Detecting prompt injection attacks hidden in tool descriptions
- Identifying tool shadowing between MCP servers
- Verifying skills don’t contain malware payloads or unsafe credential handling
What it scans
- MCP servers: Prompt injection in tool descriptions, tool shadowing, tool poisoning via hidden instructions, and toxic data flows
- Agent skills: Prompt injection in skill files, malware payloads, untrusted content references, unsafe credential handling, and hardcoded secrets
- Agent harnesses: Configuration discovery and inventory across all supported platforms
Install notes
Get an API token from app.snyk.io/account. Set SNYK_TOKEN, install uv, then run uvx snyk-agent-scan@latest for a full machine scan. For targeted scans: uvx snyk-agent-scan@latest ~/.cursor/mcp.json.
Source: github.com/snyk/agent-scan