Skip to content
Firmis

Deep Scan

Deep scan uses AI to semantically analyze your agent’s tools, skills, and configurations. It catches threats that deterministic rules cannot:

  • Third-party content ingestion - “this skill reads email” means prompt injection risk
  • Credential extraction - “this skill imports Chrome cookies” vs “this skill needs an API key”
  • Permission bypass semantics - understanding what --yolo actually means in context
  • Outbound communication - semantic understanding of who the agent can message

How it works

Section titled “How it works”
┌──────────────────────────────────────────────────────┐
│  Static Scan (free, instant, 324 rules)              │
│  Output: Patterns Mapped                             │
│    Known Vulnerabilities ─── fixable immediately     │
│    Fixable Patterns      ─── firmis fix .            │
│    Security Hotspots     ─── need verification       │
└───────────────┬──────────────────────────────────────┘
                │ (optional, uses AI credits)
                
┌──────────────────────────────────────────────────────┐
│  Deep Scan (LLM verification)                        │
│  Input: Security Hotspots from static scan           │
│  Output:                                             │
│    Confirmed Threats  ─── firmis fix --deep .        │
│    Expected Behavior  ─── dismissed (safe)           │
│    Unverified         ─── low confidence             │
└──────────────────────────────────────────────────────┘
  1. Static scan runs first (324 rules, instant)
  2. Deep scan analyzes each component with a security auditor prompt
  3. Findings below 60% confidence are filtered out
  4. Results are merged into the scan report

See Finding States & Grades for how deep scan results map to finding states.

Why deep scan matters

Section titled “Why deep scan matters”

Rules match patterns. AI understands context. That difference matters because agent security threats often look like normal code to a regex engine. A skill that “reads email” is legitimate functionality to a rule scanner, but a prompt injection risk to a security auditor who understands what happens when untrusted content enters an agent’s context.

In our testing, adding deep scan to static analysis reduced false positives by 20-30% and caught an entire class of semantic threats that rules alone missed.

What deep scan adds over static-only

Section titled “What deep scan adds over static-only”

Deep scan catches threat categories that pattern matching cannot:

  • Outbound communication capability assessment
  • Supply chain risk in install patterns (go install @latest)
  • Credential extraction vs standard API key configuration
  • Third-party content flow analysis

Usage

Section titled “Usage”
Terminal
# Run deep scan (requires firmis login)
npx firmis-cli scan --deep


# Output includes both static + deep findings
npx firmis-cli scan --deep --json --output report.json

Deep scan requires a Firmis account (firmis login). The AI analysis runs server-side - no API keys needed on your machine.

What it catches that static misses

Section titled “What it catches that static misses”

Third-party content ingestion

Section titled “Third-party content ingestion”

Static rules can detect known patterns like fetch() or readFile(). Deep scan understands that a Discord skill reading messages, a Gmail skill reading email bodies, or a GitHub skill reading issue comments all create indirect prompt injection risk — because any of that content could contain adversarial instructions.

Credential extraction vs standard config

Section titled “Credential extraction vs standard config”

Static rules flag any reference to credentials. Deep scan distinguishes between:

  • A tool that needs OPENAI_API_KEY to function (standard config, not a finding)
  • A tool that reads Chrome’s Login Data database (credential extraction, always a finding)

Permission bypass semantics

Section titled “Permission bypass semantics”

Static rules can match known flags like --yolo. Deep scan understands the semantic implication: this flag disables safety controls before executing file operations, which amplifies the blast radius of any other vulnerability in the tool.

Pricing

Section titled “Pricing”

Deep scan uses 5 AI credits per component analyzed.

TierPriceAI CreditsDeep Scans
Free$050/monthFirst scan free. Additional scans use credits from your balance
Pro$49/month500/monthUnlimited (never blocked)
Business$299/month3,000/monthUnlimited (never blocked)

Need more credits? Top-up packs start at 6c/credit.

When credits are exhausted, static analysis continues to run normally. No data is lost and no scans are blocked — the AI layer pauses until credits reset or you top up.

Privacy

Section titled “Privacy”

Deep scan sends component content (tool definitions, skill descriptions, config files) to an AI model for analysis. The content is used only for the security analysis and is not stored or used for training. If your codebase cannot leave your machine, use static-only scanning (npx firmis-cli scan without --deep).

Section titled “Related”