Find what's hiding in your agent stack
324 detection rules. 21 threat categories. Prompt injection, credential harvesting, tool poisoning, supply chain attacks - scanned in seconds, reported in plain English.
Your AI agents have access to everything.
AWS keys. SSH keys. API tokens. Browser passwords. Every tool you install can read them - and most people never check. Firmis scans your entire agent stack in one command.
The threat is real
Section titled “The threat is real”Research published in 2025–2026 shows what’s already happening to agent users:
| Stat | Source |
|---|---|
| 72.8% MCP tool poisoning attack success rate | MCPTox Research |
| 82% of MCP servers have path traversal vulnerabilities | Endor Labs |
| 7.1% of agent marketplace skills are actively stealing credentials | Firmis Research |
| 1.2M malicious packages discovered in the wild | Sonatype 2026 |
| CVSS 10/10 zero-click RCE in Claude Desktop Extensions | LayerX Security |
You are not the target. Your credentials are. And they’re sitting one misconfigured MCP server away from leaving your machine.
What Firmis checks
Section titled “What Firmis checks”Audit every MCP server you've installed
72.8% of poisoning attacks succeed against popular LLMs. Firmis checks your MCP configs for hidden instructions, malicious tool definitions, and unauthorized network calls before they run.
Know exactly what's in your AI stack
CycloneDX 1.7 Agent Bill of Materials - every component, dependency, model, and tool definition catalogued. Know what you have before you ship it.
Block threats in CI before they reach prod
One command: discover → BOM → scan → report. SARIF output for GitHub Security tab. Exit non-zero on high or critical findings. Done.
Every platform. One command.
Section titled “Every platform. One command.”| Platform | What gets scanned | Status |
|---|---|---|
| Claude Skills | CLAUDE.md, tool definitions, permission scopes | GA |
| MCP Servers | Server configs, tool handlers, transport layer | GA |
| Cursor Rules | .cursorrules, workspace settings, extensions | GA |
| Codex Plugins | Plugin manifests, tool definitions | Beta |
| CrewAI Agents | Agent configs, tool definitions, task chains | Beta |
| AutoGPT Plugins | Plugin manifests, command handlers | Experimental |
| OpenClaw Skills | Skill definitions, skill handlers | Experimental |
| Nanobot Plugins | Plugin configs, tool handlers | Experimental |
Two-layer scanning
Section titled “Two-layer scanning”Layer 1: Static analysis (free, offline, instant)
Section titled “Layer 1: Static analysis (free, offline, instant)”324 detection rules across 21 threat categories. Pattern-match for known threats. Zero false negatives on known patterns, but may flag legitimate configurations.
Layer 2: Deep scan (AI-powered, optional)
Section titled “Layer 2: Deep scan (AI-powered, optional)”Run firmis scan --deep to have an AI model verify each finding. Confirms true positives, resolves ambiguous findings, catches semantic threats (like “this skill reads untrusted email bodies”) that rules alone cannot detect.
- 1 free deep scan per month
- 20-30% fewer false positives vs static-only scanning
- Catches threats invisible to static analysis: third-party content ingestion, credential extraction vs standard config, permission bypass semantics
How it works
Section titled “How it works”npx firmis-cli scan . │ ▼┌─────────────┐ ┌──────────────┐ ┌─────────────┐│ Discovery │───▶│ Rule Engine │───▶│ Reporter ││ │ │ │ │ ││ Auto-detect │ │ 324 │ │ Terminal ││ platforms │ │ rules across │ │ JSON / SARIF ││ components │ │ 21 threat │ │ HTML report ││ dependencies │ │ categories │ │ │└─────────────┘ └──────────────┘ └─────────────┘No account. No telemetry. Nothing leaves your machine.
How the detection engine works →
21 threat categories
Section titled “21 threat categories”Every finding comes with a severity rating, a plain English explanation of what it means, and what to do about it.
| Category | What it catches | Severity |
|---|---|---|
| Tool Poisoning | Hidden instructions in tool descriptions that hijack your agent | Critical |
| Data Exfiltration | Skills sending your local files to external servers | Critical–High |
| Credential Harvesting | Tools reading AWS, GCP, Azure, or SSH credentials | Critical–High |
| Prompt Injection | Instructions that override your agent’s behavior | Critical–High |
| Secret Detection | Hardcoded API keys, tokens, and passwords | Critical–Medium |
| Supply Chain | Dependencies with known vulnerabilities (OSV database) | High–Medium |
| Malware Signatures | Known malicious code patterns | Critical |
| Known Malicious | Packages flagged across threat intelligence databases | Critical |
| Network Abuse | Unauthorized DNS or HTTP calls | High–Medium |
| File System Abuse | Unauthorized reads or writes to your filesystem | High–Medium |
| Permission Overgrant | Tool scopes wider than they need to be | High–Medium |
| Agent Memory Poisoning | Instructions corrupting your agent’s context window | High |
| Malware Distribution | Tools spreading payloads to other systems | Critical–High |
| Privilege Escalation | Gaining access your agent was never granted | High |
| Insecure Configuration | Weak or missing security settings | Medium–Low |
| Access Control | Missing authentication or authorization checks | High–Medium |
View all 324 detection rules →
Frequently asked questions
Section titled “Frequently asked questions”Wait - my AI tools can actually steal my stuff?
Yes. Every agent you install - Cursor, Claude, MCP servers, OpenClaw skills - gets access to your files, API keys, and credentials. Most people never check what these tools actually do behind the scenes. Our research found that 7.1% of agent marketplace skills are actively stealing credentials or sending data to external servers. One command will tell you if yours are clean.
What exactly does Firmis check for?
324 detection rules across 21 threat categories: prompt injection, credential harvesting, data exfiltration, tool poisoning, supply chain attacks, hardcoded secrets, malware signatures, and more. Every finding is explained in plain English - not cryptic error codes. “This skill is reading your AWS credentials and sending them to an unknown server” is the kind of message you get.
Is my code uploaded anywhere?
No. Firmis is fully offline. It reads your config files and source code locally - nothing leaves your machine. No telemetry, no analytics, no account required. Ever.
I’m not a security expert. Can I still use this?
That’s exactly who we built it for. You don’t need to understand regex patterns or YARA rules. You run npx firmis-cli scan . and you get a report that says what’s wrong and what to do about it. Plain English. Every time.
Is it really free?
Completely free. npx firmis-cli scan . - no account, no credit card, no usage limits. You get a security grade (A through F) and a full list of findings in plain English.