Skip to main content

Secure everything your AI agent trusts.

Your AI coding agent (Claude Code, Cursor, Windsurf, and the rest) does not just run the code you write. It reads and acts on a large surface of inputs that you almost certainly never reviewed:

  • The MCP servers you added, and every tool description they expose.
  • The skills, slash-commands, and subagents in your config, which carry executable bodies, not just prose.
  • The agent's long-term memory, where an injected "fact" can steer every future session.
  • The rules, instruction files, and hooks the agent reads on startup.
  • The A2A agent cards it uses to decide whether to trust a peer.
  • The results tools hand back, which the model reads as if they were trustworthy.

Each of these is an instruction channel into a model that acts on your machine. Prompt injection, tool poisoning, indirect injection via tool results, poisoned memory, MCP rug pulls, and malicious skills are the recurring failure shapes: the same list the OWASP Agentic Top 10 (2026) now enumerates. None of them show up in a normal dependency scan, because the payload is not a CVE. It is text your agent was told to trust.

Vulkro checks that whole surface. The free, open-source tools do the inspection and auditing. The paid engine adds an in-loop guard that watches your assistant as it writes.

MCP servers and their tools

When you add an MCP server, you inherit every tool description it ships, and your model reads those descriptions as instructions. Two free commands cover this:

# Before you add it: is this MCP server safe?
vulkro-live inspect <server>

# The bouncer: scan the tool descriptions (or a returned result)
vulkro-live warden <target>

inspect resolves the server, verifies the backing package, and returns a plain GREEN / REVIEW / AVOID verdict so the "should I add this" decision is a one-liner. warden is the MCP and agent-tool bouncer: it scans an MCP server's tool descriptions (or a single returned tool result) for prompt injection, tool poisoning, tool shadowing, hidden unicode, exfiltration sinks, and risky capabilities.

See the MCP server page for the developer-side view (scanning the MCP server source you are writing).

Skills and commands

Skills, slash-commands, and subagents are not just descriptions. They carry an executable body that runs with your agent's permissions. Reviewing the prose and skipping the body is how a malicious skill gets in.

vulkro-live skillscan <path>

skillscan scans the executable body of your skills, slash-commands, and subagents, not only their front-matter and description text.

Agent memory

Long-term agent memory is a persistence channel. An attacker who lands one poisoned "fact" (an instruction phrased as a remembered preference, or a stored note that runs a command) gets to steer every session that reads that memory afterward.

vulkro-live memcheck <memory>

memcheck scans an AI agent's stored long-term memory for poisoning: an injected entry designed to run a command or bias every future session.

Agent config and hooks

Your agent reads rules, instruction files, and configured MCP servers on startup, and some hooks reach the network. Auditing them one at a time does not scale, so audit does the whole surface in one pass.

vulkro-live audit

audit covers your entire agent surface at once: every configured MCP server, plus the rules, skills, and instruction files an agent reads, plus network-reaching hooks. It is the "one command, whole surface" entry point when you do not yet know where the risk is.

To catch an MCP rug pull (a server that ships a clean manifest, then quietly changes it) two more free commands pin and diff the manifest:

# Fingerprint the current tool manifest
vulkro-live lock <server>

# Later: report a field-level diff against the lock
vulkro-live drift <server>

lock fingerprints the current tool manifest. drift reports a field-level diff: a dropped readOnlyHint, a description that gained an injection phrase, a tool that changed shape since you approved it.

A2A agent cards

When your agent trusts a peer through an A2A agent card, that card is another untrusted input. cardcheck vets it before your agent acts on it.

vulkro-live cardcheck <card>

cardcheck checks identity and domain match, looks for injection over the card's text fields, flags confusable names, and gives an honest signature-presence report. Be clear on the limit here: it reports whether a signature is present, it does not verify the signature cryptographically, and it never claims to.

Tool results and indirect injection

The most easily overlooked channel is the result a tool returns. Your agent reads that text as trustworthy, so a web page, a file, or an upstream API can plant instructions the model then follows. That is indirect prompt injection.

# Scan a returned tool result, not just the server
vulkro-live warden <result>

warden runs against a returned tool result as well as an MCP server, so the text coming back into your agent gets the same prompt-injection, exfiltration-sink, and hidden-unicode check as the tool that produced it.

Packages, because agents install them too

Agents pull in dependencies as readily as they call tools, so package safety belongs on the same surface:

vulkro-live verify <manifest> # package safety
vulkro-live foresee <name> # look ahead before you install

Give your agent the tools directly

Vulkro Labs ships a built-in MCP server, so your agent can call the checks itself instead of you running them by hand:

vulkro-live mcp

This exposes verify, warden, and inspect to your agent directly, so a suspicious package, MCP server, or tool result can be vetted mid-session.

Free tools, and the in-loop guard in the paid engine

Everything above is the free, open-source, keyless Vulkro Labs CLI (vulkro-live). The tools are MIT or Apache-2.0 licensed and run entirely on your machine.

curl -fsSL https://dist.vulkro.com/install-live.sh | bash

The paid Vulkro engine is a separate download and adds the piece the free tools do not: an in-loop guard that runs while the agent writes.

curl -fsSL https://dist.vulkro.com/install.sh | bash

vulkro guard runs inside your AI assistant's write loop (Claude Code, Cursor, and Windsurf hooks), checks each file as it is written, and feeds serious findings back so the assistant fixes the problem before the file lands. It is offline and per-file fast. The engine also carries MCP-server-source and MCP-host-config audits and RAG-indexing-safety detectors.

The distinction matters and stays exact: the Labs tools (vulkro-live) are the open-source, on-your-machine agent-surface checks. The Vulkro engine is closed, licensed, and uses no AI. What you pay for is detection depth and the in-loop guard, not a cloud service and not a model call.

Get started

Install the free agent-surface tools first and run an audit:

curl -fsSL https://dist.vulkro.com/install-live.sh | bash
vulkro-live audit

That one command sweeps your MCP servers, skills, instruction files, and network-reaching hooks. From there, warden, inspect, skillscan, memcheck, lock / drift, and cardcheck cover the individual surfaces, and vulkro-live mcp hands the checks to your agent directly.

See the Vulkro Labs hub for the full free-tool lineup, and the features page for the paid engine, including vulkro guard in your assistant's write loop.