githubinferredactive
tooltrust-scanner
provenance:github:AgentSafe-AI/tooltrust-scanner
WHAT THIS AGENT DOES
This agent acts like a security check for the tools your AI uses. It identifies potential risks like a tool trying to access sensitive data or gain unauthorized access. Businesses using AI agents, especially those integrating external tools, can use this to ensure their AI systems are safe and reliable. It’s particularly helpful for preventing problems that arise from trusting tools from unknown or untrusted sources. The agent provides a clear report on each tool, highlighting any concerns and suggesting actions to take, allowing for informed decisions about which tools to use. It essentially creates a layer of protection against unexpected and potentially harmful behavior from the tools powering your AI.
README
# ToolTrust Scanner
[](https://github.com/AgentSafe-AI/tooltrust-scanner/actions/workflows/ci.yml)
[](https://github.com/AgentSafe-AI/tooltrust-scanner/actions/workflows/security.yml)
[](https://github.com/AgentSafe-AI/tooltrust-scanner/stargazers)
[](https://goreportcard.com/report/github.com/AgentSafe-AI/tooltrust-scanner)
[](https://glama.ai/mcp/servers/AgentSafe-AI/tooltrust-scanner)
[](https://www.npmjs.com/package/tooltrust-mcp)
[](https://www.npmjs.com/package/tooltrust-mcp)
[](LICENSE)
**Scan MCP servers for prompt injection, data exfiltration, and privilege escalation before your AI agent blindly trusts them.**
> **🚨 Supply-Chain Incident Coverage (March 2026)**
> ToolTrust now detects and blocks confirmed supply-chain incidents including the LiteLLM / TeamPCP compromise and the malicious axios npm publish (`axios@1.14.1`, `axios@0.30.4`). For npm-backed MCP servers, ToolTrust now combines blacklist matches, lifecycle-script review, transitive lockfile recovery, and IOC matching such as `plain-crypto-js` to surface suspicious releases earlier.
## Live UI
- Browse the public directory: [https://www.tooltrust.dev/](https://www.tooltrust.dev/)
- Look up historical grades for popular MCP servers
- Review findings in a browser before installing or trusting a server
## What it looks like
```
Scan Summary: 14 tools scanned | 13 allowed | 1 need approval | 0 blocked
Tool Grades: A×13 C×1
Findings by Severity: HIGH×1 MEDIUM×14 LOW×1 (16 total)
Flagged Tools:
• search_files 🟡 GRADE C needs approval
[AS-002] High: Network access declared
[AS-011] Low: Missing rate-limit or timeout
Action now: Keep this tool on manual approval until the risky capabilities are reviewed.
```
## 🤖 Let your AI agent scan its own tools
Add ToolTrust as an MCP server in your `.mcp.json` and your agent can audit every tool it has access to:
> **Note:** First run downloads a ~10MB Go binary from GitHub Releases. Subsequent runs use the cached binary.
```json
{
"mcpServers": {
"tooltrust": {
"command": "npx",
"args": ["-y", "tooltrust-mcp"]
}
}
}
```
Then ask your agent to run:
- `tooltrust_scan_config` to scan all configured MCP servers
- `tooltrust_scan_server` to scan one specific server
- Full MCP tool list: [Usage guide](docs/USAGE.md#mcp-tools)
## 🔍 What it catches
- Prompt injection and tool poisoning hidden in descriptions
- Excessive permissions such as `exec`, `network`, `db`, and `fs`
- Supply-chain CVEs and known compromised package versions
- Suspicious npm lifecycle scripts that execute during install
- Suspicious npm IOC dependencies and indicators such as `plain-crypto-js`, reviewed install-script patterns, malicious domains, and URLs referenced from published package metadata
- Dependency visibility gaps when an MCP server does not expose enough metadata for supply-chain analysis
- Privilege escalation and arbitrary code execution patterns
- Typosquatting, tool shadowing, and insecure secret handling
- Missing rate-limit, timeout, or retry configuration on risky tools
ToolTrust now labels supply-chain coverage in scan output:
- `No dependency data`
- `Declared by MCP metadata`
- `Verified from local lockfile`
- `Verified from remote lockfile`
- `Repo URL available`
For live local scans, ToolTrust will also best-effort inspect common dependency artifacts when it can infer a project root from the launch command:
- `package-lock.json` / `npm-shrinkwrap.json`
- `pnpm-lock.yaml`
- `yarn.lock`
- `go.sum`
- `requirements.txt`
For remote GitHub repos exposed via `repo_url`, ToolTrust also inspects common lockfiles for transitive dependency evidence:
- `package-lock.json`
- `pnpm-lock.yaml`
- `yarn.lock`
- `go.sum`
- `requirements.txt`
Recent incident coverage includes:
- LiteLLM `1.82.7` / `1.82.8` and related TeamPCP compromise indicators
- Axios `1.14.1` / `0.30.4` malicious npm publish
- npm metadata IOC detection for helper packages such as `plain-crypto-js`
Full rule catalog: [docs/RULES.md](docs/RULES.md) · [tooltrust.dev](https://www.tooltrust.dev/)
Threat-intel and IOC promotion flow: [docs/IOC_PIPELINE.md](docs/IOC_PIPELINE.md)
Scanner scope guardrails: [docs/SCANNER_SCOPE.md](docs/SCANNER_SCOPE.md)
## More ways to use ToolTrust
- CLI install, examples, and flags: [Usage guide](docs/USAGE.md#cli)
- Scan-before-install workflow: [Gate docs](docs/USAGE.md#gate)
- CI / GitHub Actions examples: [CI integration](docs/USAGE.md#github-actions)
- Pre-commit / alias setup: [Pre-hook integration](docs/USAGE.md#pre-hook-integration)
---
[Usage guide](docs/USAGE.md) · [Developer guide](docs/DEVELOPER.md) · [Contributing](docs/CONTRIBUTING.md) · [Changelog](CHANGELOG.md) · [Security](docs/SECURITY.md) · [License: MIT](LICENSE) © 2026 AgentSafe-AI
PUBLIC HISTORY
First discoveredMar 25, 2026
IDENTITY
inferred
Identity inferred from code signals. No PROVENANCE.yml found.
Is this yours? Claim it →METADATA
platformgithub
first seenMar 1, 2026
last updatedMar 24, 2026
last crawled2 months ago
version—
README BADGE
Add to your README:
