elliotllliu

elliotllliu / agent-shield

Public

Multi-engine security scanner for AI agents, MCP servers & plugins — 13 engines, one report.

www.npmjs.compackage@elliotllliuagentshield agent-security ai-agent ai-security dify mcp
11
6
100% credibility
Found Mar 18, 2026 at 11 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
TypeScript
AI Summary

AgentShield is a free tool that scans AI agent skills, plugins, and servers for security risks like backdoors and data leaks using multiple expert checkers.

How It Works

1
🔍 Find a new AI helper

You discover an exciting AI skill or plugin online that could make your work easier.

2
📥 Download it safely

You grab the folder from the website or marketplace to try it out.

3
🛡️ Check for hidden dangers

Run a quick safety scan on the folder with one simple command—no setup needed.

4
📊 See the expert report

Get a clear summary from trusted security checkers showing if it's safe or has risks.

5
Review the safety score
It's safe!

No big issues found—time to use it.

⚠️
Some risks

Review warnings and decide if okay.

🚀 Use with confidence

Install the helper knowing it's checked, or skip risky ones safely.

Sign up to see the full architecture

4 more

Sign Up Free

Star Growth

See how this repo grew from 11 to 11 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is agent-shield?

Agent Shield is a TypeScript-based security scanner for AI agents, MCP servers, and plugins. It aggregates 13 engines into one report, flagging risks like backdoors, data exfiltration, prompt injection, and tool poisoning. Run `npx @elliotllliu/agent-shield scan ./my-skill/` for instant results, with outputs in terminal, JSON, HTML, or SARIF.

Why is it gaining traction?

It solves tool sprawl by combining engines like Semgrep, Trivy, and Gitleaks into a multi-engine consensus verdict, cutting false positives and scan time. Zero-config npx usage, offline operation, and MCP runtime proxy set it apart from single-tool scanners. Benchmarks claim 91% F1 on attack samples, including real-world Dify plugins.

Who should use this?

Developers auditing third-party agent skills or MCP plugins before install. Teams adding security gates to AI agent CI/CD pipelines. MCP server users scanning repos like Playwright-MCP for hidden risks.

Verdict

Grab it for quick agent security checks—docs and GitHub Action are polished despite 11 stars and 1.0% credibility score. Early-stage with self-reported benchmarks; validate outputs manually until more adoption.

(178 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.