Platforms
Platform-agnostic AI agent security. Built-in analyzers for Claude, Cursor, MCP, Codex, CrewAI, AutoGPT, OpenClaw, Nanobot, and Supabase — with extensible detection that works on any AI agent framework.
Most developers only think about the platforms they actively built against. But an MCP server installed months ago, a Cursor extension installed from a marketplace, a CrewAI agent scaffolded from a template - these all run on your machine, with access to your files and credentials, and most of them have never been audited.
Firmis detects all of them automatically.
What is a platform?
Section titled “What is a platform?”In Firmis, a platform is a supported AI agent framework. Each platform has:
- A set of detection signals - file paths or glob patterns that indicate the platform is present
- A set of component types - the unit of scanning (skill, server, plugin, agent, extension)
- A set of file patterns - the source files, configs, and manifests collected for rule evaluation
- A maturity level - GA, Beta, or Experimental (see table below)
When you run npx firmis-cli scan, Firmis checks each platform’s detection signals against the current directory and any well-known installation paths. Detected platforms are scanned; undetected platforms are skipped. No configuration required.
Platform maturity
Section titled “Platform maturity”| Maturity | Meaning |
|---|---|
| GA | Fully supported. Detection signals, component enumeration, and file analysis are stable and production-tested. |
| Beta | Supported with minor limitations. Some component types or metadata may not be fully detected. Feedback welcome. |
| Experimental | Early support. Detection works but may miss edge cases. Breaking changes possible in future releases. |
The maturity label reflects the reliability of detection and component enumeration - not the quality of the security analysis. All platforms apply the full 324-rule catalog regardless of maturity level. An Experimental platform gets the same depth of analysis as a GA platform.
Detection signals by platform
Section titled “Detection signals by platform”| Platform | Maturity | Detection signals |
|---|---|---|
| Claude Skills | GA | ~/.claude/skills/ directory exists |
| MCP Servers | GA | ~/.config/mcp/mcp.json, ~/Library/Application Support/Claude/claude_desktop_config.json, or .vscode/mcp.json exists |
| Cursor Extensions | GA | ~/.cursor/extensions/ or ~/.vscode/extensions/ directory exists |
| Codex Plugins | Beta | ~/.codex/plugins/ directory exists |
| CrewAI Agents | Beta | crew.yaml or crew.yml file found anywhere in the project tree |
| AutoGPT Plugins | Experimental | ~/.autogpt/plugins/ or ~/AutoGPT/plugins/ directory exists |
| OpenClaw Skills | Experimental | ~/.openclaw/skills/ directory exists |
| Nanobot Agents | Experimental | nanobot.yaml or nanobot.yml file found in the project tree |
| Supabase | GA | supabase/config.toml, supabase/migrations/ directory, or supabase/functions/ directory exists |
Auto-detection
Section titled “Auto-detection”Detection runs before scanning. For each platform, Firmis checks whether the relevant paths or files exist:
npx firmis-cli scan . │ ▼For each platform (claude, mcp, codex, cursor, crewai, autogpt, openclaw, nanobot, supabase): Does the detection signal exist? Yes → add platform to scan list No → skipNo configuration is required. If your project contains a crew.yaml file, CrewAI is detected. If ~/.config/mcp/mcp.json exists, MCP is detected. Firmis reports which platforms were detected at the start of each scan.
To see what Firmis would detect without running a full scan:
npx firmis discoverPlatform details
Section titled “Platform details”Claude Skills - GA
Section titled “Claude Skills - GA”Claude Skills are extensions to the Claude AI assistant stored in ~/.claude/skills/. Each skill is a directory containing a skill.json manifest and one or more Markdown or JavaScript files.
Claude Skills have direct access to the agent’s context window and can influence every response the agent generates. A malicious skill that injects hidden instructions into every prompt is the highest-impact attack vector in the Claude ecosystem.
Components detected: skill directories
Files analyzed: **/*.md, **/skill.json, **/package.json
Config file: skill.json
MCP Servers - GA
Section titled “MCP Servers - GA”Model Context Protocol (MCP) servers expose tools to AI agents via a standardized JSON-RPC protocol. Firmis detects MCP servers from config files in Claude Desktop, VS Code, and standard config paths. Individual server directories under ~/.mcp/servers/ are also detected.
MCP is the most actively targeted attack surface in the current threat landscape. 72.8% of tool poisoning attacks target MCP tool descriptions. 341 malicious tools have been found on MCP marketplaces. The protocol’s power - giving agents access to arbitrary tools - is exactly what makes it dangerous when those tools are unaudited.
Components detected: servers listed in mcpServers config, or server subdirectories
Files analyzed: **/*.{js,ts,py,go,rs}, **/package.json, **/pyproject.toml, **/Cargo.toml, **/go.mod
Config file: mcp.json, claude_desktop_config.json
Cursor Extensions - GA
Section titled “Cursor Extensions - GA”Cursor is an AI-powered code editor built on VS Code. Extensions for Cursor are installed in ~/.cursor/extensions/ and follow the VS Code extension manifest format (package.json with contributes.commands).
Extensions run inside the editor with access to the filesystem and network. A malicious extension can read any file the editor can access - including credentials, SSH keys, and source code.
Components detected: extension directories
Files analyzed: **/*.{js,ts}, **/package.json
Config file: package.json (VS Code extension manifest)
Codex Plugins - Beta
Section titled “Codex Plugins - Beta”OpenAI Codex plugins extend the Codex CLI agent with additional capabilities. Plugins are stored in ~/.codex/plugins/ and use a JSON manifest format.
Components detected: plugin directories
Files analyzed: **/*.{js,ts,py}, **/manifest.json, **/plugin.json
Config file: manifest.json or plugin.json
CrewAI Agents - Beta
Section titled “CrewAI Agents - Beta”CrewAI is a Python framework for building multi-agent systems. A CrewAI project is detected by the presence of crew.yaml or crew.yml in the project tree. Each crew config defines agents, tasks, and tools.
Multi-agent systems introduce a new attack surface: agent-to-agent communication. A compromised agent in a crew can propagate malicious instructions to other agents in the same workflow.
Components detected: directories containing crew.yaml
Files analyzed: **/*.{py,yaml,yml}, **/crew.yaml, **/agents.yaml
Config file: crew.yaml
AutoGPT Plugins - Experimental
Section titled “AutoGPT Plugins - Experimental”AutoGPT is an autonomous agent platform. Plugins extend AutoGPT with new commands and are stored in ~/.autogpt/plugins/ or ~/AutoGPT/plugins/.
Components detected: plugin directories
Files analyzed: **/*.py, **/plugin.json, **/manifest.json
Config file: plugin.json or manifest.json
OpenClaw Skills - Experimental
Section titled “OpenClaw Skills - Experimental”OpenClaw is an open-source agent framework. Skills are stored in ~/.openclaw/skills/ and are defined by Markdown files with YAML frontmatter describing the skill’s tools and permissions.
Components detected: skill directories
Files analyzed: **/*.md, **/*.js, **/*.ts, **/*.py, **/SKILL.md
Config file: SKILL.md (frontmatter)
Nanobot Agents - Experimental
Section titled “Nanobot Agents - Experimental”Nanobot is a lightweight agent runtime. Agent configurations are defined in nanobot.yaml files, which specify agent behavior, tool access, and MCP server connections.
Components detected: directories containing nanobot.yaml
Files analyzed: **/*.yaml, **/*.yml, **/*.md, **/*.js, **/*.ts, **/*.go
Config file: nanobot.yaml
Supabase - GA
Section titled “Supabase - GA”Supabase projects include Edge Functions (Deno-based serverless functions), database migrations, storage configuration, and authentication settings. Firmis detects Supabase projects by the presence of supabase/config.toml, a supabase/migrations/ directory, or a supabase/functions/ directory.
Edge Functions run server-side with access to environment variables, database connections, and external APIs. A compromised Edge Function can exfiltrate data, escalate privileges via RLS bypass, or serve as a pivot point into the database layer. Migration files can contain destructive SQL or policy changes that weaken Row Level Security.
Components detected: Edge Function directories, migration files, config files
Files analyzed: supabase/functions/**/*.{ts,js}, supabase/migrations/**/*.sql, supabase/config.toml, .env, .env.local
Config file: supabase/config.toml
Forcing a specific platform
Section titled “Forcing a specific platform”If auto-detection does not pick up your platform, you can force it with the --platform flag:
# Scan only MCP serversnpx firmis-cli scan --platform mcp
# Scan only CrewAI agentsnpx firmis-cli scan --platform crewai
# Scan only Claude Skillsnpx firmis-cli scan --platform claudeValid platform values: claude, mcp, codex, cursor, crewai, autogpt, openclaw, nanobot, supabase
What to read next
Section titled “What to read next”- How It Works - the full discovery → rule engine → reporter pipeline
- Claude Skills - Claude-specific scanning guide with common findings
- MCP Servers - MCP-specific scanning guide and tool poisoning detection
- firmis scan -
--platformflag and all other scan options - firmis discover - list detected platforms without running a full scan