Evo Agent Scan - Experimental Preview
AI-native developers are installing MCP servers and agent skills at speed, often without security review. Agent Scan provides complete visibility and supply chain risk analysis so every agentic tool is known, assessed, and governed.
Learn how our ToxicSkills research uncovered widespread vulnerabilities, prompt injection, and hundreds of malicious AI agent skills in the ClawHub ecosystem.
of all agent skills contain at least one critical-level security issue — malware distribution, prompt injection, or exposed secrets.
of malicious skills combine prompt injection with malware, bypassing both AI safety systems and traditional security scanners.
of skills expose API keys, passwords, and PII through dangerous instruction patterns embedded in the skill definition itself.
Developers install MCP servers and agent skills locally to experiment and build faster. These tools often run outside traditional security visibility.
Agent skills may pull code, prompts, or external dependencies from unknown sources. Without analysis, it’s hard to know whether a tool is safe to run.
Teams adopt agentic tools quickly, but organizations lack clear policies for which tools are approved, blocked, or trusted.
Identify the tools your agents rely on and catch risks early, without disrupting how developers build.
AI-native developers install MCP servers and agent skills without security review, creating shadow AI across your developer fleet. Agent Scan discovers every AI component, where it came from, and where it's running.
Detect every MCP server and agent skill installed
Verify each component comes from an official, trusted source
Detect components installed outside your approved gateway
Flag components outside your approved allowlist automatically
For every MCP server and skill in your inventory, Agent Scan surfaces the risks it carries so security teams can assess tool-level capabilities before deciding what stays on developer machines.
Detect indirect prompt injection vulnerabilities in skills and servers.
Identify malware or malicious code embedded in supply chain components.
Surface exposed credentials and secrets within tool definitions.
Make informed, approve, or block decisions based on actual risk.
Deploy Agent Scan org-wide through IT-managed distribution. Whether you're securing 17 machines or 17,000, gain centralized visibility into your agent tools and their associated risks.
Distribute via IT tooling to all developer endpoints.
Schedule recurring scans with no manual triggers required.
Track scan success and failures in real time.
Monitor scanner version consistency across the fleet.
Set approval status per component and track it across the fleet.
You don't need an enterprise rollout to benefit from Agent Scan. Install the CLI and run it against your own MCP servers and agent skills.
Building agents? Embed Agent Scan in your developer workflow as a pre-commit hook to catch issues before they're committed, or in your CI pipeline to block risky skills before they reach production.
Enable your organization to adopt agentic tools and workflows safely with the visibility, risk controls, and compliance evidence to move fast without flying blind.
Roll out agentic tools to increase developer productivity, without creating a security bottleneck or leaving your stack ungoverned.
Build and ship agents with a secure supply chain, and without exposing your own machine to malicious MCP servers or prompt injection.
Try out the free CLI:
uvx snyk-agent-scan@latest --skills
Inspect any skill before you install it — right from your browser >
Already a Snyk customer?