Your AI agents have access to everything.

The threat is real

Research published in 2025–2026 shows what’s already happening to agent users:

Stat	Source
72.8% MCP tool poisoning attack success rate	MCPTox Research
82% of MCP servers have path traversal vulnerabilities	Endor Labs
7.1% of agent marketplace skills are actively stealing credentials	Firmis Research
1.2M malicious packages discovered in the wild	Sonatype 2026
CVSS 10/10 zero-click RCE in Claude Desktop Extensions	LayerX Security

You are not the target. Your credentials are. And they’re sitting one misconfigured MCP server away from leaving your machine.

What Firmis checks

Find what's hiding in your agent stack

209 detection rules. 16 threat categories. Prompt injection, credential harvesting, tool poisoning, supply chain attacks — scanned in seconds, reported in plain English.

Run your first scan →

Audit every MCP server you've installed

72.8% of poisoning attacks succeed against popular LLMs. Firmis checks your MCP configs for hidden instructions, malicious tool definitions, and unauthorized network calls before they run.

MCP security guide →

Know exactly what's in your AI stack

CycloneDX 1.7 Agent Bill of Materials — every component, dependency, model, and tool definition catalogued. Know what you have before you ship it.

Generate your BOM →

Block threats in CI before they reach prod

One command: discover → BOM → scan → report. SARIF output for GitHub Security tab. Exit non-zero on high or critical findings. Done.

Set up CI →

8 platforms. One command.

Platform	What gets scanned	Status
Claude Skills	CLAUDE.md, tool definitions, permission scopes	GA
MCP Servers	Server configs, tool handlers, transport layer	GA
Cursor Rules	.cursorrules, workspace settings, extensions	GA
Codex Plugins	Plugin manifests, tool definitions	Beta
CrewAI Agents	Agent configs, tool definitions, task chains	Beta
AutoGPT Plugins	Plugin manifests, command handlers	Experimental
OpenClaw Skills	Skill definitions, skill handlers	Experimental
Nanobot Plugins	Plugin configs, tool handlers	Experimental

How it works

npx firmis scan .
       │
       ▼
┌─────────────┐    ┌──────────────┐    ┌─────────────┐
│  Discovery   │───▶│  Rule Engine  │───▶│   Reporter   │
│              │    │              │    │              │
│ Auto-detect  │    │ 209 YAML     │    │ Terminal     │
│ 8 platforms  │    │ rules across │    │ JSON / SARIF │
│ components   │    │ 16 threat    │    │ HTML report  │
│ dependencies │    │ categories   │    │              │
└─────────────┘    └──────────────┘    └─────────────┘

No account. No telemetry. Nothing leaves your machine.

How the detection engine works →

16 threat categories

Every finding comes with a severity rating, a plain English explanation of what it means, and what to do about it.

Category	What it catches	Severity
Tool Poisoning	Hidden instructions in tool descriptions that hijack your agent	Critical
Data Exfiltration	Skills sending your local files to external servers	Critical–High
Credential Harvesting	Tools reading AWS, GCP, Azure, or SSH credentials	Critical–High
Prompt Injection	Instructions that override your agent’s behavior	Critical–High
Secret Detection	Hardcoded API keys, tokens, and passwords	Critical–Medium
Supply Chain	Dependencies with known vulnerabilities (OSV database)	High–Medium
Malware Signatures	Known malicious code patterns	Critical
Known Malicious	Packages flagged across threat intelligence databases	Critical
Network Abuse	Unauthorized DNS or HTTP calls	High–Medium
File System Abuse	Unauthorized reads or writes to your filesystem	High–Medium
Permission Overgrant	Tool scopes wider than they need to be	High–Medium
Agent Memory Poisoning	Instructions corrupting your agent’s context window	High
Malware Distribution	Tools spreading payloads to other systems	Critical–High
Privilege Escalation	Gaining access your agent was never granted	High
Insecure Configuration	Weak or missing security settings	Medium–Low
Access Control	Missing authentication or authorization checks	High–Medium

View all 209 detection rules →

Frequently asked questions

Wait — my AI tools can actually steal my stuff?

Yes. Every agent you install — Cursor, Claude, MCP servers, OpenClaw skills — gets access to your files, API keys, and credentials. Most people never check what these tools actually do behind the scenes. Our research found that 7.1% of agent marketplace skills are actively stealing credentials or sending data to external servers. One command will tell you if yours are clean.

What exactly does Firmis check for?

209 rules across 16 threat categories: prompt injection, credential harvesting, data exfiltration, tool poisoning, supply chain attacks, hardcoded secrets, malware signatures, and more. Every finding is explained in plain English — not cryptic error codes. “This skill is reading your AWS credentials and sending them to an unknown server” is the kind of message you get.

Is my code uploaded anywhere?

No. Firmis is fully offline. It reads your config files and source code locally — nothing leaves your machine. No telemetry, no analytics, no account required. Ever.

I’m not a security expert. Can I still use this?

That’s exactly who we built it for. You don’t need to understand regex patterns or YARA rules. You run npx firmis scan . and you get a report that says what’s wrong and what to do about it. Plain English. Every time.

How is this different from Snyk or Semgrep?

Snyk and Semgrep are built for traditional application code. They don’t know what an MCP server is, what tool poisoning looks like, or how to read a CLAUDE.md file for hidden instructions. Firmis is purpose-built for the AI agent threat surface: 8 platforms, 209 rules written specifically for how agents get compromised.

Is it really free?

Completely free. npx firmis scan . — no account, no credit card, no usage limits. You get a security grade (A through F) and a full list of findings in plain English.