Secure everything your AI agent trusts.
Your AI coding agent (Claude Code, Cursor, Windsurf, and the rest) does not just run the code you write. It reads and acts on a large surface of inputs that you almost certainly never reviewed:
- The MCP servers you added, and every tool description they expose.
- The skills, slash-commands, and subagents in your config, which carry executable bodies, not just prose.
- The agent's long-term memory, where an injected "fact" can steer every future session.
- The rules, instruction files, and hooks the agent reads on startup.
- The A2A agent cards it uses to decide whether to trust a peer.
- The results tools hand back, which the model reads as if they were trustworthy.
Each of these is an instruction channel into a model that acts on your machine. Prompt injection, tool poisoning, indirect injection via tool results, poisoned memory, MCP rug pulls, and malicious skills are the recurring failure shapes: the same list the OWASP Agentic Top 10 (2026) now enumerates. None of them show up in a normal dependency scan, because the payload is not a CVE. It is text your agent was told to trust.
Vulkro checks that whole surface. The free, open-source tools do the inspection and auditing. The paid engine adds an in-loop guard that watches your assistant as it writes.
MCP servers and their tools
When you add an MCP server, you inherit every tool description it ships, and your model reads those descriptions as instructions. Two free commands cover this:
# Before you add it: is this MCP server safe?
vulkro-live inspect <server>
# The bouncer: scan the tool descriptions (or a returned result)
vulkro-live warden <target>
inspect resolves the server, verifies the backing package, and
returns a plain GREEN / REVIEW / AVOID verdict so the "should I add
this" decision is a one-liner. warden is the MCP and agent-tool
bouncer: it scans an MCP server's tool descriptions (or a single
returned tool result) for prompt injection, tool poisoning, tool
shadowing, hidden unicode, exfiltration sinks, and risky
capabilities.
See the MCP server page for the developer-side view (scanning the MCP server source you are writing).
Skills and commands
Skills, slash-commands, and subagents are not just descriptions. They carry an executable body that runs with your agent's permissions. Reviewing the prose and skipping the body is how a malicious skill gets in.
vulkro-live skillscan <path>
skillscan scans the executable body of your skills, slash-commands,
and subagents, not only their front-matter and description text.
Agent memory
Long-term agent memory is a persistence channel. An attacker who lands one poisoned "fact" (an instruction phrased as a remembered preference, or a stored note that runs a command) gets to steer every session that reads that memory afterward.
vulkro-live memcheck <memory>
memcheck scans an AI agent's stored long-term memory for
poisoning: an injected entry designed to run a command or bias every
future session.
Agent config and hooks
Your agent reads rules, instruction files, and configured MCP
servers on startup, and some hooks reach the network. Auditing them
one at a time does not scale, so audit does the whole surface in
one pass.
vulkro-live audit
audit covers your entire agent surface at once: every configured
MCP server, plus the rules, skills, and instruction files an agent
reads, plus network-reaching hooks. It is the "one command, whole
surface" entry point when you do not yet know where the risk is.
To catch an MCP rug pull (a server that ships a clean manifest, then quietly changes it) two more free commands pin and diff the manifest:
# Fingerprint the current tool manifest
vulkro-live lock <server>
# Later: report a field-level diff against the lock
vulkro-live drift <server>
lock fingerprints the current tool manifest. drift reports a
field-level diff: a dropped readOnlyHint, a description that gained
an injection phrase, a tool that changed shape since you approved it.
A2A agent cards
When your agent trusts a peer through an A2A agent card, that card
is another untrusted input. cardcheck vets it before your agent
acts on it.
vulkro-live cardcheck <card>
cardcheck checks identity and domain match, looks for injection
over the card's text fields, flags confusable names, and gives an
honest signature-presence report. Be clear on the limit here: it
reports whether a signature is present, it does not verify the
signature cryptographically, and it never claims to.
Tool results and indirect injection
The most easily overlooked channel is the result a tool returns. Your agent reads that text as trustworthy, so a web page, a file, or an upstream API can plant instructions the model then follows. That is indirect prompt injection.
# Scan a returned tool result, not just the server
vulkro-live warden <result>
warden runs against a returned tool result as well as an MCP
server, so the text coming back into your agent gets the same
prompt-injection, exfiltration-sink, and hidden-unicode check as the
tool that produced it.
Packages, because agents install them too
Agents pull in dependencies as readily as they call tools, so package safety belongs on the same surface:
vulkro-live verify <manifest> # package safety
vulkro-live foresee <name> # look ahead before you install
Give your agent the tools directly
Vulkro Labs ships a built-in MCP server, so your agent can call the checks itself instead of you running them by hand:
vulkro-live mcp
This exposes verify, warden, and inspect to your agent
directly, so a suspicious package, MCP server, or tool result can be
vetted mid-session.
Free tools, and the in-loop guard in the paid engine
Everything above is the free, open-source, keyless Vulkro Labs
CLI (vulkro-live). The tools are MIT or Apache-2.0 licensed and run
entirely on your machine.
curl -fsSL https://dist.vulkro.com/install-live.sh | bash
The paid Vulkro engine is a separate download and adds the piece the free tools do not: an in-loop guard that runs while the agent writes.
curl -fsSL https://dist.vulkro.com/install.sh | bash
vulkro guard runs inside your AI assistant's write loop (Claude
Code, Cursor, and Windsurf hooks), checks each file as it is written,
and feeds serious findings back so the assistant fixes the problem
before the file lands. It is offline and per-file fast. The engine
also carries MCP-server-source and MCP-host-config audits and
RAG-indexing-safety detectors.
The distinction matters and stays exact: the Labs tools
(vulkro-live) are the open-source, on-your-machine agent-surface
checks. The Vulkro engine is closed, licensed, and uses no AI. What
you pay for is detection depth and the in-loop guard, not a cloud
service and not a model call.
Get started
Install the free agent-surface tools first and run an audit:
curl -fsSL https://dist.vulkro.com/install-live.sh | bash
vulkro-live audit
That one command sweeps your MCP servers, skills, instruction files,
and network-reaching hooks. From there, warden, inspect,
skillscan, memcheck, lock / drift, and cardcheck cover the
individual surfaces, and vulkro-live mcp hands the checks to your
agent directly.
See the Vulkro Labs hub for the full free-tool lineup, and
the features page for the paid engine, including
vulkro guard in your assistant's write loop.