Is Aguara safe to use?

Aguara has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under Apache-2.0.

How do I install Aguara?

Aguara can be installed by cloning its GitHub repository and following the setup instructions in the README.

What AI clients work with Aguara?

Aguara is compatible with Claude Desktop, Cursor, Claude Code, and most MCP clients that support stdio transport. It uses stdio transport.

Is Aguara actively maintained?

Aguara is actively maintained — last commit was 1 day ago. It has 61 GitHub stars.

Aguara

Security scanner for AI agent skills and MCP servers.
Detect prompt injection, data exfiltration, and supply-chain attacks before they reach production.

Installation • Quick Start • How It Works • Usage • Rules • Incident Response • Aguara MCP • Aguara Watch • Contributing

https://github.com/user-attachments/assets/851333be-048f-48fa-aaf3-f8cc1d4aa594

Why Aguara?

AI agents and MCP servers run code on your behalf. A single malicious skill file can exfiltrate credentials, inject prompts, or install backdoors. Aguara catches these threats before deployment with static analysis that requires no API keys, no cloud, and no LLM.

189 detection rules across 14 categories — prompt injection, data exfiltration, credential leaks, supply-chain attacks, MCP-specific threats, command execution, SSRF, unicode attacks, and more.
4-layer analysis engine — pattern matching, NLP analysis, taint tracking, and rug-pull detection work together to catch threats that any single technique would miss.
6 decoders for encoded evasion — base64, hex, URL encoding, Unicode escapes, HTML entities, and hex escapes. Obfuscated payloads are decoded and re-scanned automatically.
NLP on markdown, JSON, and YAML — goldmark AST analysis for markdown files, plus string extraction and classification for JSON/YAML tool descriptions. Catches MCP tool poisoning in structured configs.
Cross-file toxic flow analysis — detects dangerous capability combinations split across files in the same MCP server directory (e.g., one tool reads credentials, another sends to a webhook).
Aggregate risk score — 0-100 score with diminishing returns across findings. Available in JSON, SARIF, and terminal output.
Context-aware scanning — pass the tool name (--tool-name Edit) and the scanner automatically skips rules that are always false positives for that tool. Built-in exemptions for Edit, Write, WebFetch, Bash, and more.
Scan profiles — strict (default), content-aware, or minimal enforcement. Findings are always preserved for audit; only the verdict (clean/flag/block) changes.
Evasion prevention — NFKC normalization catches fullwidth character evasion. 6 decoders catch encoded payloads. Crypto address filtering prevents hex decoder false positives.
Dynamic confidence scoring — every finding carries a confidence level (

... View full README on GitHub

Aguara

Quick Install

Should you use this server?

Test This Server

Score Breakdown

MCPpedia Score

Security

Help improve this page

Reviews

Frequently Asked Questions

Similar servers

XcodeBuildMCP

Sequential Thinking MCP Server

Arxiv Mcp Server

Gemini Cli

Discussion

Aguara

Why Aguara?