Aguara MCP

Local security checks for AI agents before they trust third-party tools.

Aguara MCP gives Claude Code, Cursor, Windsurf, and any MCP-compatible agent a local tool for reviewing untrusted agent content before acting on it.

When an agent is about to install an MCP server, inspect a skill, read a plugin README, or load a tool configuration, it can call Aguara first. The scan runs locally, inside the MCP server, and returns a structured verdict with findings, severity, remediation, and the rule that triggered.

No LLM calls. No network access. No subprocess to the aguara binary. The MCP server imports Aguara as a Go library and runs the scanner in-process.

Use it to help agents answer questions like:

• Is this MCP config exposing credentials?
• Does this tool description contain prompt injection?
• Is this README asking the agent to run unsafe install commands?
• Does this skill try to read secrets or exfiltrate data?
• Which rule triggered, and why?

Aguara MCP v0.6.1 is aligned with Aguara v0.18.2. It includes the current 219-detection catalog, analyzer-emitted rules, sensitivity-based output redaction, Unicode normalization, and context-aware false-positive reduction. Built on the official MCP SDK (v1, Tier 1).

Repository-wide dependency checks (npm, PyPI, pnpm, Go, crates.io, Composer, RubyGems, Maven, NuGet) are still handled by the Aguara CLI:

aguara check .
aguara audit . --ci

These will land as MCP tools in a future release once Aguara core exposes a stable public Check API; see garagon/aguara for the CLI install path.

The problem

AI agents are gaining autonomy. They browse registries, discover tools, install MCP servers, and execute third-party code - often without any security review.

This creates a new attack surface. A skill published to a registry today can contain:

• Prompt injection that hijacks the agent's behavior ("ignore all previous instructions...")
• Credential theft that exfiltrates API keys, tokens, and secrets from the agent's environment
• Remote code execution hidden in install scripts (curl | bash, shell injection)
• Data exfiltration that silently sends user data to attacker-controlled endpoints
• Supply chain attacks through dependency confusion and typosquatting

The agent doesn't know. It can't tell a helpful tool from a weaponized one. The description looks normal. The install succeeds. The damage is done.

This is the gap Aguara MCP fills. It gives the agent a security advisor it can consult as a tool - the same way a developer would run a linter before merging code. One tool call, milliseconds, entirely local. The agent checks first, then decides.

Quick start

curl -fsSL https://raw.githubusercontent.com/garagon/mcp-aguara/main/install.sh | sh

One command, one binary, no external dependencies. The installer verifies SHA256 checksums before extracting and fails closed if no sha256 verifier is available on the host (no silent skip).

Make sure the install directory (~/.local/bin) is in your PATH. The binary is statically linked with the Aguara rule catalog and analyzers compiled in so all MCP scans run fully offline. Aguara core's OSV-derived threat-intel snapshot is not bundled in this binary because the MCP does not expose repository-wide dependency checks yet; use the Aguara CLI for those (see garagon/aguara for install + usage).

Add to your AI agent

Claude Code:

claude mcp add aguara -- aguara-mcp

Claude Desktop - add to claude_desktop_config.json:

{
  "mcpServers": {
    "aguara": {
      "command": "aguara-mcp"
    }
  }
}

Cursor / Windsurf / any MCP client - stdio transport with aguara-mcp.

Your agent now has a security advisor.

Tools

scan_content

Scan text for security threat

... View full README on GitHub