AgentShield — open-source security scanner for MCP servers (30 rules, offline)

[elliotllliu]

TL;DR

I built AgentShield, an open-source security scanner for MCP servers, AI agent tools, and plugins. It statically analyzes code for backdoors, data exfiltration, prompt injection, and supply chain attacks.

With the Vercel AI SDK's MCP support, developers are connecting to third-party MCP servers — and there's currently no standard way to verify what those servers actually do before connecting.

Why This Matters for AI SDK Users

The AI SDK makes it easy to connect to MCP servers via experimental_createMCPClient. But MCP servers run arbitrary code with access to:

• Tool definitions that can shadow or override other tools
• User prompts and conversation context
• System resources (files, network, environment variables)
• The ability to inject instructions via tool descriptions

A malicious MCP server can look perfectly normal in its tool listing while exfiltrating data or injecting prompts behind the scenes.

What AgentShield Detects

30 rules, 100% offline, MIT licensed:

# Scan an MCP server before connecting
npx @elliotllliu/agent-shield scan ./mcp-server/

# Scan from GitHub
npx @elliotllliu/agent-shield scan https://github.com/someone/mcp-server

# JSON output for automation
npx @elliotllliu/agent-shield scan ./server/ --format json

Key detections for MCP servers:

• Tool shadowing: tool names that conflict with or override other tools
• Prompt injection: 55+ patterns in tool descriptions and responses
• Data exfiltration: reads sensitive files + sends HTTP requests
• Backdoors: eval(), exec(), dynamic code execution
• Description integrity: semantic mismatch between what a tool says it does vs what it actually does

Real-World Data

Scanned 493 Dify plugins (9,862 files, 939K lines) — found 6 high-risk plugins with eval(), exec(), and reverse shell patterns published in the marketplace. Full report.

Suggestion

It would be valuable if the AI SDK ecosystem had a way to verify MCP servers before connection — perhaps as a recommended pre-check step in the docs, or as part of a registry. AgentShield could serve as the scanning layer.

GitHub: https://github.com/elliotllliu/agent-shield

[github-actions[bot]]

This discussion was automatically closed because the community moved to community.vercel.com/ai-sdk