Skip to main content

audit

One line: what is my whole agent surface right now, and what on it is risky?

Your agent's attack surface is scattered across config files you rarely reopen: MCP server entries, rules and instruction files, skills, hooks, permission settings. audit walks the well-known config locations for Claude Code, Claude Desktop, Cursor, Windsurf, and Cline (project and home) and sweeps all of it in one pass:

  • inventories every MCP server and verifies its backing package (like inspect)
  • scans every rules / skill / instructions file for prompt-injection and hidden unicode (with warden's engine)
  • flags hooks whose command shells out to the network
  • flags config values (server env, headers, args) that look like a plaintext secret, using a prefix plus entropy classifier
  • flags dangerous settings: auto-approve / alwaysAllow, permission bypass modes, and hooks that fetch and execute remote code

It reads only local config and public package metadata, never your source code. It never launches a server and never runs a hook.

Usage

vulkro-live audit
vulkro-live audit --format sarif > agent-surface.sarif
vulkro-live audit --write-baseline .vulkro/audit-baseline.json
vulkro-live audit --diff .vulkro/audit-baseline.json

Example

$ vulkro-live audit

Agent surface audit: scanned 5 config and instruction file(s).

MCP servers (1):
GREEN filesystem OK latest 2026.1.14, 404643 weekly downloads
via .mcp.json: npx -y @modelcontextprotocol/server-filesystem .

Config secrets (plaintext values that look like secrets):
HIGH filesystem/API_TOKEN = sk_...4c (token-prefix) (.mcp.json)

1 server(s), 0 flagged; 0 instruction finding(s); 0 network hook(s); 1 config secret(s); 0 dangerous setting(s).

Baselines: audit as a standing gate

--write-baseline records a committable snapshot of the surface; --diff reports only what changed since it: a new server, a setting flipped to auto-approve, a new network hook, a new secret. That turns audit from a one-off report into a CI gate that stays quiet until the surface actually moves.

$ vulkro-live audit --diff .vulkro/audit-baseline.json

MEDIUM - diff-server-added new MCP server since the baseline: npx -y some-brand-new-fetcher-mcp

Flags

FlagEffect
--min-age-days <DAYS>Flag packages created within this many days as SUSPICIOUS (default 30)
--min-downloads <N>Flag packages with fewer than this many downloads as SUSPICIOUS (default 100)
--no-cacheBypass the local response cache and always query live
--format <FORMAT>text (default), json, or sarif; see Output formats
--write-baseline <FILE>Write a committable baseline snapshot of the agent surface
--diff <FILE>Report only what changed since that baseline

Exit codes: 0 when nothing is flagged, 1 when a server is REVIEW/AVOID, an instruction file has an actionable finding, a hook reaches the network, a config secret is found, or a dangerous setting is set, 2 on an error.

Composes with

  • skillscan goes one level deeper than audit on skills: audit reads a skill's prose, skillscan opens the scripts it bundles.
  • memcheck covers the one surface audit does not: stored memory.
  • trustdb clears reviewed servers, manifests, and files so audit stays quiet about what you already vetted.
  • Commit the baseline next to .vulkro/trust.toml and .vulkro/mcp.lock: the repo becomes the reviewable record of your agent surface.