Thirty-seven percent of AI agent skills on public registries contain at least one security flaw. Seventy-six of those skills are confirmed malware. And until March 2026, there was no automated way to check whether the skills and MCP servers running on your machine were safe. Snyk changed that with agent-scan, an open-source CLI tool that auto-discovers agent configurations on your machine and scans them for 15+ distinct security risk categories. It shipped at RSAC 2026 as part of a broader agent security suite, and it fills a gap that has been widening since MCP adoption crossed 17,000 servers.
This is not a linting tool or a best-practices checker. Agent-scan detects tool poisoning, prompt injection in tool descriptions, credential leaks, malware payloads, and toxic flows in both MCP servers and installable agent skills. It is the npm audit moment for AI agents.
What Agent-Scan Actually Does
Agent-scan operates in two modes. The CLI mode runs snyk-agent-scan on your local machine and immediately reports what it finds. The background mode connects to a Snyk Evo instance and runs on a schedule, designed for security teams managing fleets of developer machines via MDM or CrowdStrike.
The first thing agent-scan does is auto-discover agent configurations. It knows where Claude Code, Claude Desktop, Cursor, Gemini CLI, and Windsurf store their MCP server configs and skill registries. You do not need to point it at specific files. Run it, and it maps the agent landscape on that machine.
Then it scans across two categories:
MCP servers get checked for prompt injection in tool descriptions, tool poisoning (hidden instructions that override user-visible behavior), tool shadowing (a new server silently replacing an existing tool), and toxic flows (sequences of tool calls that could lead to security violations).
Agent skills get checked for prompt injection, malware payloads, untrusted content fetching, credential handling patterns, and hardcoded secrets. The --skills flag enables this scan: snyk-agent-scan --skills.
The scanner outputs a risk report with severity levels and specific remediation guidance for each finding. It is not a binary pass/fail. You get granular detail about what is wrong and why it matters.
The Invariant Labs Foundation
Agent-scan did not appear from nowhere. In June 2025, Snyk acquired Invariant Labs, an ETH Zurich spin-off co-founded by professors Martin Vechev and Florian Tramer. Invariant Labs were the researchers who discovered and named “tool poisoning” as an attack class. They built mcp-scan, the first dedicated MCP security scanner, and published the research showing how a single malicious MCP server could silently exfiltrate a user’s entire WhatsApp history by exploiting cross-origin trust between MCP servers in the same session.
Their core innovation is Toxic Flow Analysis (TFA), a hybrid static-and-dynamic analysis framework that models every possible sequence of tool calls an agent might make and scores which flows could lead to security violations. Traditional static analysis cannot handle this because the execution path depends on LLM reasoning, which is non-deterministic. TFA treats the LLM as a black box and instead analyzes the tool graph: if Tool A provides untrusted input, Tool B has privileged access, and Tool C can send data externally, that three-tool sequence is flagged regardless of whether the LLM would actually execute it.
This approach now powers the toxic flow detection in agent-scan. The acquisition-to-product pipeline took nine months: Invariant Labs joined Snyk in June 2025, the ToxicSkills report dropped in February 2026, and agent-scan shipped at RSAC in March 2026.
ToxicSkills: The Data Behind the Scanner
The ToxicSkills report gave agent-scan its empirical foundation. Published in February 2026, it audited 3,984 skills from ClawHub and skills.sh as of February 5, 2026. The results were worse than most security researchers expected.
Out of 3,984 skills: 1,467 (36.8%) had at least one security flaw, 534 (13.4%) had critical-level issues, and 76 (1.9%) contained confirmed malicious payloads. The 76 malicious skills were not subtle. One hundred percent contained malicious code patterns. Ninety-one percent simultaneously used prompt injection to manipulate the host agent. A user named zaycv published a fake ClawHub CLI skill containing a reverse shell.
The credential theft numbers are especially concerning. Roughly 434 skills (10.9%) contained hardcoded secrets, and 283 (7.1%) were actively leaking credentials. One hundred fifty-six credential-stealing skills had over 10,000 combined downloads. Eight malicious skills were still publicly available on ClawHub at the time of publication.
Why the Barrier to Entry Matters
Publishing a skill on ClawHub requires a SKILL.md Markdown file and a GitHub account that is one week old. No code signing. No security review. No sandbox by default. No verified publisher program. This is the exact set of conditions that enabled the event-stream attack on npm in 2018, except agent skills have something npm packages never had: the AI agent already has shell access, file system permissions, and network connectivity. The skill does not need to request elevated privileges because the agent already has them.
The comparison to early npm is not hypothetical. Skill submissions jumped from under 50 per day in mid-January to over 500 per day by early February 2026. That growth rate, combined with zero automated security review, created the conditions that ToxicSkills documented.
The Broader Agent Security Landscape at RSAC 2026
Snyk was not the only vendor who shipped agent security tooling at RSAC 2026. The conference, held March 23-24, 2026, saw a burst of competing products:
SentinelOne launched Prompt AI Agent Security for real-time agent governance, including MCP server coverage and automated remediation. They also shipped Prompt AI Red Teaming for testing internally built AI applications.
Cisco released DefenseClaw, an open-source framework bundling a Skills Scanner, MCP Scanner, AI-BOM (AI Bill of Materials), and CodeGuard in a single toolkit.
Endor Labs introduced AURI, an agentic security platform that combines AI reasoning with deterministic program analysis and integrates via Hooks, Skills, MCP, and CLI.
The fact that four major security vendors shipped agent security products in the same week tells you where the market is. Gartner projects AI cybersecurity spending will grow at a 73.9% CAGR from 2024 to 2029. Cisco’s survey found 85% of enterprises are experimenting with AI agents, but only 5% have them in production. That gap between experimentation and production is where security tooling either gets adopted or gets ignored.
What Makes Agent-Scan Different
The competitive landscape matters because agent-scan makes specific trade-offs that distinguish it from the alternatives.
Open Source First
Agent-scan is open source on GitHub under a permissive license. SentinelOne’s offering is proprietary. Cisco’s DefenseClaw is also open source. This matters because security tools that cannot be audited face a fundamental trust problem, especially when they scan configurations that contain API keys and credentials.
Supply Chain Integration
Snyk partnered with Vercel to integrate agent-scan into the skills.sh marketplace. Every skill installed via npx skills is scanned by Snyk’s API before it reaches a developer’s machine. The skills ecosystem currently grows at roughly 147 new skills per day. Pre-installation scanning is the only approach that scales against that growth rate because post-installation scanning means malicious skills have already executed by the time you detect them.
Enterprise Deployment
The background mode distinguishes agent-scan from point-in-time scanners. Security teams can deploy it via MDM, connect it to CrowdStrike, and get continuous visibility into which MCP servers and skills are running across every developer machine in the organization. For companies moving from the “5% in production” group to broader agent deployment, this operational model matters more than the scan itself.
The SANDWORM_MODE Wake-Up Call
If the ToxicSkills numbers feel abstract, the SANDWORM_MODE incident from February 2026 makes it concrete. Security researchers discovered an npm worm that specifically targets AI coding assistants. It includes an “McpInject” module that deploys rogue MCP servers into the configurations of Claude Code, Cursor, VS Code Continue, and Windsurf.
The attack flow: a developer installs a seemingly legitimate npm package. The package’s postinstall script writes a malicious MCP server definition into the developer’s agent configuration files. The next time the developer opens their AI coding assistant, it connects to the rogue MCP server, which can now intercept prompts, exfiltrate code, and inject malicious instructions into the agent’s tool responses.
This is the supply chain attack that agent-scan was built to catch. The rogue MCP server would trigger multiple risk categories: prompt injection in tool descriptions, untrusted content sources, and suspicious configuration changes. Whether developers actually run agent-scan before opening their coding assistant is a different question, but at least the detection capability now exists.
Getting Started with Agent-Scan
Running agent-scan takes less than a minute:
# Install globally
npm install -g @snyk/agent-scan
# Scan MCP servers on your machine
snyk-agent-scan
# Also scan installed agent skills
snyk-agent-scan --skills
# Scan a specific config file
snyk-agent-scan --config ~/.cursor/mcp.json
The output categorizes findings by severity and risk type. For each finding, you get the specific file, the risk category, a description of the issue, and a recommended fix. Critical findings (confirmed malware, active credential exfiltration) are highlighted separately from warnings (hardcoded secrets, overly permissive tool descriptions).
For teams evaluating agent security tooling, agent-scan is the starting point because it is free, open source, and can run in CI pipelines. The commercial Snyk Evo platform adds continuous monitoring, fleet management, and integration with existing SIEM/SOAR workflows, but the core scanning logic is identical.
Frequently Asked Questions
What is Snyk agent-scan?
Snyk agent-scan is an open-source CLI tool that auto-discovers AI agent configurations (Claude Code, Cursor, Gemini CLI, Windsurf) and scans MCP servers and agent skills for 15+ security risk categories including tool poisoning, prompt injection, malware payloads, and credential leaks.
What did the ToxicSkills report find?
The ToxicSkills report audited 3,984 AI agent skills from ClawHub and skills.sh in February 2026. It found that 36.8% had at least one security flaw, 13.4% had critical issues, and 76 skills contained confirmed malicious payloads including reverse shells, credential theft, and data exfiltration.
How does tool poisoning differ from prompt injection?
Prompt injection manipulates the AI agent through user-facing text inputs. Tool poisoning hides malicious instructions in MCP tool descriptions that the LLM reads but that are not normally displayed to users. A poisoned tool can manipulate the agent’s behavior without the user ever seeing the malicious instructions.
Why did Snyk acquire Invariant Labs?
Snyk acquired Invariant Labs in June 2025 to gain their expertise in MCP security research, including the mcp-scan tool and Toxic Flow Analysis framework. Invariant Labs, an ETH Zurich spin-off, pioneered the discovery of tool poisoning attacks and built the foundational technology that powers agent-scan.
How do I run Snyk agent-scan on my machine?
Install agent-scan globally with npm install -g @snyk/agent-scan, then run snyk-agent-scan to scan MCP servers or snyk-agent-scan --skills to also scan installed agent skills. It auto-discovers configurations for Claude Code, Cursor, Gemini CLI, and Windsurf.