AICLUDE User Guide
Comprehensive guide to AI Agent Security Vulnerability Scanner
Table of Contents
1. Overview
AICLUDE automatically detects security vulnerabilities in AI Agent systems (MCP Servers, Skills), tests them in isolated sandboxes, and generates comprehensive security reports. It scans thousands of packages from npm, GitHub, Smithery, and other registries to proactively identify threats before they reach production environments.
2. Scan Engines
AICLUDE uses 7 specialized scan engines that run in parallel for comprehensive security analysis:
1SAST (Static Analysis)
Pattern-based static code analysis using YAML rule definitions. Detects command injection, code execution, credential exposure, path traversal, and insecure deserialization patterns.
2SCA (Software Composition Analysis)
Dependency CVE lookup via OSV.dev, SBOM generation, and typosquatting detection. Identifies known vulnerabilities in third-party packages.
3Tool Analyzer
Analyzes MCP tool definitions for poisoning (malicious instructions in tool descriptions), shadowing (name collision attacks), and rug-pull (runtime definition changes).
4DAST (Dynamic Analysis)
Parameter fuzzing for SQL injection, command injection, and XSS. Tests tool inputs with adversarial payloads in a sandboxed environment.
5Permission Checker
Analyzes filesystem, network, and process access permissions. Identifies excessive privileges and missing sandbox configurations.
6Behavior Monitor
Runtime behavior pattern detection. Monitors for anomalous data flows, unauthorized network connections, and suspicious process spawning.
7Malware Detector
Signature-based scanning, entropy analysis, and detection of backdoors, cryptominers, ransomware, data stealers, droppers, and rootkit evasion techniques.
3. AI Agent Threat Categories
AICLUDE classifies threats into 10 categories specific to AI Agent ecosystems:
Hidden malicious instructions embedded in MCP tool descriptions that manipulate AI agent behavior. Attackers inject prompts to override safety controls or extract sensitive data.
AI agents granted overly broad permissions beyond what is necessary. Includes unrestricted filesystem access, network capabilities, or process execution without proper sandboxing.
Sensitive data exposure through credential leaks, data exfiltration channels, or unprotected API keys in source code and tool configurations.
Unsafe deserialization of tool outputs or parameter injection vulnerabilities that allow attackers to manipulate data processing pipelines.
Malicious instructions injected into MCP tool definitions. Tool descriptions contain hidden directives that override agent behavior when processed.
Tool definitions that change after installation. An MCP server initially appears safe but later modifies its tool behavior to become malicious.
Tool name collisions and authentication bypasses enabling server impersonation. Attackers create tools with identical names to intercept communications.
Abnormal data flows between MCP servers. Data stolen from one server context is exfiltrated through another, bypassing isolation boundaries.
Overly broad filesystem, network, and process access permissions. Missing sandboxing allows unrestricted system access beyond operational needs.
OS command execution or arbitrary code injection through tool parameters. Attackers exploit unsanitized inputs to execute system commands.
4. Risk Levels
Each target receives a risk score (0-100) and corresponding risk level:
Immediate action required. Active exploitation possible. Contains severe vulnerabilities like backdoors, data exfiltration, or prompt injection.
Significant risk. Should be addressed promptly. May include command injection vectors or excessive permissions.
Moderate risk. Plan remediation. Typically involves missing sandboxing or known CVEs in dependencies.
Minor risk. Address when convenient. Usually informational findings or low-impact permission issues.
Safe. No significant risk detected. Target has passed all security checks.
5. Reading Reports
Each scan report contains: an overall risk score and level, vulnerability count by severity, detailed findings from each engine with code locations, remediation suggestions, and SBOM (Software Bill of Materials). Use the dashboard to monitor trends, view highest-risk targets, and track safe MCP servers and skills.