audit
One line: what is my whole agent surface right now, and what on it is risky?
Your agent's attack surface is scattered across config files you rarely
reopen: MCP server entries, rules and instruction files, skills, hooks,
permission settings. audit walks the well-known config locations for
Claude Code, Claude Desktop, Cursor, Windsurf, and Cline (project and
home) and sweeps all of it in one pass:
- inventories every MCP server and verifies its backing package (like
inspect) - scans every rules / skill / instructions file for prompt-injection
and hidden unicode (with
warden's engine) - flags hooks whose command shells out to the network
- flags config values (server env, headers, args) that look like a plaintext secret, using a prefix plus entropy classifier
- flags dangerous settings: auto-approve / alwaysAllow, permission bypass modes, and hooks that fetch and execute remote code
It reads only local config and public package metadata, never your source code. It never launches a server and never runs a hook.
Usage
vulkro-live audit
vulkro-live audit --format sarif > agent-surface.sarif
vulkro-live audit --write-baseline .vulkro/audit-baseline.json
vulkro-live audit --diff .vulkro/audit-baseline.json
Example
$ vulkro-live audit
Agent surface audit: scanned 5 config and instruction file(s).
MCP servers (1):
GREEN filesystem OK latest 2026.1.14, 404643 weekly downloads
via .mcp.json: npx -y @modelcontextprotocol/server-filesystem .
Config secrets (plaintext values that look like secrets):
HIGH filesystem/API_TOKEN = sk_...4c (token-prefix) (.mcp.json)
1 server(s), 0 flagged; 0 instruction finding(s); 0 network hook(s); 1 config secret(s); 0 dangerous setting(s).
Baselines: audit as a standing gate
--write-baseline records a committable snapshot of the surface;
--diff reports only what changed since it: a new server, a setting
flipped to auto-approve, a new network hook, a new secret. That turns
audit from a one-off report into a CI gate that stays quiet until the
surface actually moves.
$ vulkro-live audit --diff .vulkro/audit-baseline.json
MEDIUM - diff-server-added new MCP server since the baseline: npx -y some-brand-new-fetcher-mcp
Flags
| Flag | Effect |
|---|---|
--min-age-days <DAYS> | Flag packages created within this many days as SUSPICIOUS (default 30) |
--min-downloads <N> | Flag packages with fewer than this many downloads as SUSPICIOUS (default 100) |
--no-cache | Bypass the local response cache and always query live |
--format <FORMAT> | text (default), json, or sarif; see Output formats |
--write-baseline <FILE> | Write a committable baseline snapshot of the agent surface |
--diff <FILE> | Report only what changed since that baseline |
Exit codes: 0 when nothing is flagged, 1 when a server is
REVIEW/AVOID, an instruction file has an actionable finding, a hook
reaches the network, a config secret is found, or a dangerous setting
is set, 2 on an error.
Composes with
skillscangoes one level deeper than audit on skills: audit reads a skill's prose, skillscan opens the scripts it bundles.memcheckcovers the one surface audit does not: stored memory.trustdbclears reviewed servers, manifests, and files so audit stays quiet about what you already vetted.- Commit the baseline next to
.vulkro/trust.tomland.vulkro/mcp.lock: the repo becomes the reviewable record of your agent surface.