Let AI agents run free. We keep you safe.
Security scanner for AI agents. Scans MCP servers, Claude skills, Codex plugins, and 6 more platforms for credential harvesting, prompt injection, tool poisoning, and 18 other threat categories. 268 detection rules. Zero config.
Your AI agent has access to your filesystem, credentials, shell, and network. It trusts every MCP server and skill it connects to. Two things go wrong:
Your agent tries to help and causes damage. An AI agent deleted a production database, ignored 11 explicit instructions, and fabricated 4,000 fake records to cover it up. Another wiped an entire production environment, causing a 13-hour AWS outage. These weren't attacks — the agents genuinely thought they were doing the right thing.
Something external manipulates your agent. Prompt injection reports surged 540% in 2025. Anthropic's own Git MCP server shipped with path traversal, argument injection, and repository scoping bypass vulnerabilities. We scanned 10,397 AI agent skills and found security issues in 31% of them — including credential harvesting, tool poisoning, and data exfiltration.
Firmis catches both. Your agent keeps full autonomy. We intervene only when something is actually dangerous.
No account needed. No API key. Just scan.
# Zero-install scan (recommended)
npx firmis-cli scan
# Or install globally
npm install -g firmis-cli
firmis scanClaude Code / Claude Desktop (MCP server)
Add to your MCP settings:
{
"mcpServers": {
"firmis": {
"command": "npx",
"args": ["-y", "firmis-cli", "--mcp"]
}
}
}Your agent can now run firmis_scan, firmis_discover, and firmis_report as tools.
Cursor (MCP server)
Add to .cursor/mcp.json:
{
"mcpServers": {
"firmis": {
"command": "npx",
"args": ["-y", "firmis-cli", "--mcp"]
}
}
}Claude Code Skills
# Add Firmis security skills to your project
git clone https://github.com/firmislabs/firmis-security.git .claude/skills/firmisSkills: security-scan, security-fix, security-report. Works in Claude Code, Codex, Cursor, and any tool that reads SKILL.md.
Any agent framework
# Auto-detects: LangChain, CrewAI, AutoGen, MetaGPT, AutoGPT, LangFlow, n8n
npx firmis-cli scan ./my-agent-projectNo --platform flag needed. Firmis detects the framework from package.json, pyproject.toml, or requirements.txt.
Firmis scans two attack surfaces that other tools miss:
- Code surface — what your agent's code actually does (file access, network calls, shell commands)
- Instruction surface — what SKILL.md, AGENTS.md, and tool descriptions tell your agent to do (prompt injection, identity spoofing, behavioral manipulation)
| Layer | What | How |
|---|---|---|
| Map | Map your agent's full attack surface | Static analysis — deterministic rules, no LLM, fully transparent |
| Monitor | Block dangerous actions at runtime | Policy rules — prevent destructive commands, credential exfiltration, unauthorized access |
| Fix | Remediate through your coding agent | Agent-readable guidance — quarantine, redact secrets, tighten permissions, upgrade dependencies |
Note
The scanner is free, unlimited, and requires no account. Run npx firmis-cli scan — all rules, HTML + JSON + SARIF reports included.
| Platform | Config Location |
|---|---|
| Claude Code Skills | ~/.claude/skills/ |
| MCP Servers | ~/.config/mcp/, claude_desktop_config.json |
| OpenAI Codex Plugins | ~/.codex/plugins/ |
| Cursor Extensions | ~/.cursor/extensions/ |
| CrewAI Agents | crew.yaml, agents.yaml |
| AutoGPT Plugins | ~/.autogpt/plugins/ |
| OpenClaw Skills | ~/.openclaw/skills/ |
| Nanobot Agents | nanobot.yaml, agents/*.md |
| Supabase | supabase/migrations/, config.toml |
Built on real-world security research, not toy examples.
| Benchmark | Result |
|---|---|
| OpenClaw Registry Scan | 10,397 skills scanned, 31.3% with security issues, 859 known-malicious signatures |
| InjecAgent Multi-Model Pentest | Firmis blocks 79% of successful attacks (Codex ASR: 48% → 10% with Firmis) |
| Tool Poisoning Detection | 99.09% detection rate on Layer 1 MCP-SafetyBench cases |
| Runtime Policy Rules | 529 test cases, 100% evasion block rate, 0% false positives, 99.24% allow rate on 10K real events |
Benchmarked against InjecAgent, MCP-SafetyBench, and the OWASP MCP Top 10.
| Category | Description |
|---|---|
| credential-harvesting | Access to AWS, SSH, GCP, or other credentials |
| data-exfiltration | Sending data to external servers |
| tool-poisoning | Hidden instructions in tool descriptions to hijack agents |
| prompt-injection | Manipulating AI behavior through injected prompts |
| privilege-escalation | sudo, setuid, kernel modules |
| agent-identity-spoofing | Unauthorized SOUL.md, AGENTS.md modification |
| supply-chain | Malicious dependencies, typosquatting, known-malicious packages |
| access-control | RLS misconfigurations, missing policies |
Run firmis scan --verbose to see all active rules and categories.
name: Agent Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Run Firmis Security Scan
run: npx firmis-cli scan --sarif --output results.sarif
- name: Upload SARIF to GitHub Security
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif#!/bin/bash
# .git/hooks/pre-commit
npx firmis-cli scan --severity high --json
if [ $? -ne 0 ]; then
echo "Security threats detected. Commit blocked."
exit 1
fi Firmis
Scanned 84 files in 0.2s
37 fixable · 271 to review
Fixable findings (37)
├── Tool Poisoning ..................... 13
├── Suspicious Behavior ................ 5
├── Credential Harvesting .............. 4
├── Prompt Injection ................... 4
├── Data Exfiltration .................. 3
├── Unsupervised Execution ............. 3
├── Supply Chain ....................... 2
├── Third Party Content ................ 2
└── Agent Memory Poisoning ............. 1
Findings to review (271)
├── Data Exfiltration .................. 51
├── Tool Poisoning ..................... 49
├── Credential Harvesting .............. 41
├── Supply Chain ....................... 23
├── Permission Bypass .................. 21
├── Privilege Escalation ............... 15
├── Malware Distribution ............... 14
├── Known Malicious .................... 12
└── ... 7 more categories
Run firmis scan --deep for AI-powered exploit analysis
Report: firmis-report.html
# my-rules/internal-api.yaml
rules:
- id: internal-001
name: Internal API Key Exposure
description: Detects hardcoded internal API keys
category: credential-harvesting
severity: critical
version: "1.0.0"
enabled: true
patterns:
- type: regex
pattern: "INTERNAL_[A-Z]+_KEY"
weight: 100firmis scan --config firmis.config.yamlimport { ScanEngine, RuleEngine } from 'firmis-cli'
const ruleEngine = new RuleEngine()
await ruleEngine.load()
const scanEngine = new ScanEngine(ruleEngine)
const result = await scanEngine.scan('./my-project', {
platforms: ['claude', 'mcp'],
severity: 'medium',
})
console.log(`Found ${result.summary.threatsFound} threats`)Is it free?
Yes. The scanner is free, open-source (Apache-2.0), and requires no account. Run npx firmis-cli scan — unlimited scans, all rules, HTML + JSON + SARIF reports.
What is tool poisoning?
Tool poisoning is when an MCP server embeds hidden instructions in tool descriptions to hijack your AI agent. Research shows a 72.8% attack success rate. Firmis detects known poisoning patterns, hidden Unicode, description/behavior mismatches, and prompt override attempts.
How is Firmis different from mcp-scan?
mcp-scan checks MCP server configs against a known-bad list. Firmis scans every major AI agent platform (not just MCP) with static analysis rules across both code and instruction surfaces. It also includes runtime monitoring with policy enforcement and agent-readable remediation guidance.Does it use AI for scanning?
No. The scanner uses deterministic, rule-based static analysis — no LLM inference. You can read every rule and understand exactly what it detects. Deep scan (AI-powered analysis) is available as a paid upgrade for exploitability verification.
Built with research from:
- OWASP MCP Top 10 — threat taxonomy for MCP security
- InjecAgent — multi-model indirect prompt injection benchmark
- MCP-SafetyBench — MCP server safety evaluation
- Anthropic Claude Code System Card — two-layer security architecture validation
We welcome contributions! See CONTRIBUTING.md for guidelines.
git clone https://github.com/firmislabs/firmis-scanner.git
cd firmis-scanner
npm install
npm test
npm run buildFound a security vulnerability? Please report it privately to security@firmislabs.com.
Apache License 2.0 — see LICENSE for details.
If Firmis helped you find something, give us a ⭐
Built by Firmis Labs