Audit
Pre-deploy scanning of skills, MCP configs, npm packages
311 ATR rules (MIT licensed) · 97.1% recall on NVIDIA Garak (666 adversarial prompts) · 96.9% recall / 100% precision / 0% FP on 498 real-world SKILL.md samples · 0.48% FP on 3,115 wild Skills.sh packages · Merged into Microsoft Agent Governance Toolkit #908 and Cisco AI Defense skill-scanner #79 (34 rules).
WHAT THIS LAYER DOES
L2 Audit inspects the code and configs an agent is about to trust, before it runs. Two scan paths: MCP config JSON (claude_desktop_config.json, .cursor/mcp.json) for runtime protection rules; SKILL.md files for skill-marketplace prompt injection and tool poisoning. Same 311 ATR rules, different regex subsets per scan target.
WHY YOU NEED IT
One malicious skill install = agent hijack. The postmark-mcp incident silently forwarded 15,000 emails/day for months before detection. Scan before you trust the code an agent is about to run.
HOW IT WORKS
Regex-first ATR engine with optional LLM semantic layer. Rules stored as YAML with versioned lifecycle (draft → experimental → stable). Web scanner at panguard.ai/ and CLI `pga scan <url-or-path>`. Microsoft AGT + Cisco AI Defense ship these rules as their reference detection pack.
TRY IT NOW
Scan any GitHub-hosted MCP skill in 60 seconds:
pga scan github.com/modelcontextprotocol/serversATTACKS THIS LAYER CATCHES
Concrete threats, concrete controls
Direct prompt injection
CRITICAL"Ignore previous instructions" patterns hidden in skill descriptions, tool outputs, or user inputs.
Tool poisoning via MCP response
CRITICALHidden instructions in MCP tool responses that override system prompts.
Credential exfiltration
CRITICALSkills that read ~/.ssh/id_rsa or environment variables and POST them to external endpoints.
ECOSYSTEM INTEGRATIONS