Skip to main content

Secure everything your AI agent trusts.

Adopting an AI coding agent means adopting everything the agent trusts. Claude Code, Cursor, Windsurf, and the rest do not just run the code you write: they read and act on a surface of inputs you almost certainly never reviewed, and it widens with every server, skill, and session you add:

  • The MCP servers you added, and every tool description they expose.
  • The skills, slash-commands, and subagents in your config, which carry executable bodies, not just prose.
  • The agent's long-term memory, where an injected "fact" can steer every future session.
  • The rules, instruction files, and hooks the agent reads on startup.
  • The A2A agent cards it uses to decide whether to trust a peer.
  • The results tools hand back, which the model reads as if they were trustworthy.

Each of these is an instruction channel into a model that acts on your machine. Prompt injection, tool poisoning, indirect injection via tool results, poisoned memory, MCP rug pulls, and malicious skills are the recurring failure shapes: the same list OWASP's work on securing LLM and agentic applications now enumerates. None of them show up in a normal dependency scan, because the payload is not a CVE. It is text your agent was told to trust.

Vulkro checks that whole surface. The free, open-source Vulkro Labs tools do the inspection and auditing. The paid engine adds an in-loop guard that watches your assistant as it writes.

Where this sits in the lifecycle

Vulkro's spine is the pre-deploy lifecycle: as-you-code, pre-commit, PR / CI, pre-deploy gate. Agent security is the front edge of the as-you-code stage: it vets what enters your agent's context before the agent acts on it, and it watches what the agent writes while it writes.

Two products own this page:

  • The free, open-source Vulkro Labs tools (vulkro-live) own the vetting: MCP servers, skills, memory, configs, agent cards, tool results, and packages, checked before or as they enter the agent's world.
  • The paid Vulkro engine owns the in-loop depth: vulkro guard in the assistant's write loop, plus the MCP server source and host-config audits.

MCP servers and their tools

When you add an MCP server, you inherit every tool description it ships, and your model reads those descriptions as instructions. Two free commands cover this:

# Before you add it: is this MCP server safe?
vulkro-live inspect 'npx -y @scope/server-x'

# The bouncer: scan the server's tool manifest
vulkro-live warden tools.json

inspect resolves the server's backing package, verifies it, and returns a plain GREEN / REVIEW / AVOID verdict so the "should I add this" decision is a one-liner. warden is the MCP and agent-tool bouncer: point it at a tool manifest (a tools/list result) and it scans the descriptions for prompt injection, tool poisoning, tool shadowing, hidden unicode, and risky capabilities.

See the MCP server page for the developer-side view (scanning the MCP server source you are writing).

Skills and commands

Skills, slash-commands, and subagents are not just descriptions. They carry an executable body that runs with your agent's permissions. Reviewing the prose and skipping the body is how a malicious skill gets in.

vulkro-live skillscan ~/.claude

skillscan scans the executable body of your skills, slash-commands, and subagents, not only their front-matter and description text.

Agent memory

Long-term agent memory is a persistence channel. An attacker who lands one poisoned "fact" (an instruction phrased as a remembered preference, or a stored note that runs a command) gets to steer every session that reads that memory afterward.

vulkro-live memcheck

memcheck scans an AI agent's stored long-term memory for poisoning: an injected entry designed to run a command or bias every future session.

Agent config and hooks

Your agent reads rules, instruction files, and configured MCP servers on startup, and some hooks reach the network. Auditing them one at a time does not scale, so audit does the whole surface in one pass.

vulkro-live audit

audit covers your entire agent surface at once: every configured MCP server, plus the rules, skills, and instruction files an agent reads, plus network-reaching hooks. It is the "one command, whole surface" entry point when you do not yet know where the risk is.

To catch an MCP rug pull (a server that ships a clean manifest, then quietly changes it) two more free commands pin and diff the manifest:

# Fingerprint the current tool manifest
vulkro-live lock tools.json

# Later: report a field-level diff against the lock
vulkro-live drift tools.json

lock fingerprints the current tool manifest. drift reports a field-level diff: a dropped readOnlyHint, a description that gained an injection phrase, a tool that changed shape since you approved it.

A2A agent cards

When your agent trusts a peer through an A2A agent card, that card is another untrusted input. cardcheck vets it before your agent acts on it.

vulkro-live cardcheck agent-card.json

cardcheck checks identity and domain match, looks for injection over the card's text fields, flags confusable names, and gives an honest signature-presence report. Be clear on the limit here: it reports whether a signature is present, it does not verify the signature cryptographically, and it never claims to.

Tool results and indirect injection

The most easily overlooked channel is the result a tool returns. Your agent reads that text as trustworthy, so a web page, a file, or an upstream API can plant instructions the model then follows. That is indirect prompt injection.

# Scan a returned tool result (file, or pipe it on stdin)
vulkro-live warden --result page.txt
cat result.txt | vulkro-live warden --result

warden --result runs against untrusted text (a tool result, a fetched page, a file the agent read) as well as a tool manifest, so the text coming back into your agent gets the same prompt-injection and hidden-unicode check as the tool that produced it.

Packages, because agents install them too

Agents pull in dependencies as readily as they call tools, so package safety belongs on the same surface:

vulkro-live verify --manifest package.json # package safety
vulkro-live foresee . # map the traps before you install

Give your agent the tools directly

Vulkro Labs ships a built-in MCP server, so your agent can call the checks itself instead of you running them by hand:

vulkro-live mcp

This exposes verify and warden to your agent directly, so a suspicious package, tool manifest, or tool result can be vetted mid-session.

Free tools, and the in-loop guard in the paid engine

Everything above is the free, open-source, keyless Vulkro Labs CLI (vulkro-live). The tools are MIT or Apache-2.0 licensed and run on your machine; the only thing that ever leaves it is public metadata (package names, versions, tool manifests), never your source code.

curl -fsSL https://dist.vulkro.com/install-live.sh | bash

The paid Vulkro engine is a separate download and adds the piece the free tools do not: an in-loop guard that runs while the agent writes. The engine requires an account; a 14-day trial of the full product starts on your first vulkro login, and licenses are issued per seat, directly by our team.

curl -fsSL https://dist.vulkro.com/install.sh | bash
vulkro login

vulkro guard runs inside your AI assistant's write loop (Claude Code, Cursor, and Windsurf hooks), checks each file as it is written, and feeds serious findings back so the assistant fixes the problem before the file lands. It is offline and per-file fast. The engine also carries MCP-server-source and MCP-host-config audits and RAG-indexing-safety detectors.

The distinction matters and stays exact: the Labs tools (vulkro-live) are the open-source, on-your-machine agent-surface checks. The Vulkro engine is closed, licensed, and uses no AI. What you pay for is detection depth and the in-loop guard, not a cloud service and not a model call.

Where the boundaries are

Honesty about what these checks are, so a clean result means what you think it means:

  • A GREEN verdict is a screen, not a guarantee. The checks are deterministic pattern and structure analysis over text surfaces (descriptions, manifests, bodies, memory entries). A payload crafted to evade a specific check can evade it. Run the checks, keep your judgement.
  • cardcheck reports signature presence only. It tells you whether an A2A card carries a signature; it does not verify the signature cryptographically, and it never claims to.
  • No runtime interception. These tools inspect artifacts before and after the fact. They do not sit inside your agent's network traffic or sandbox its process. vulkro guard is the closest to the loop, and it checks files as they are written, not model calls in flight.
  • The deep analysis lives in the paid engine. The free tools deliberately carry none of the closed engine's cross-file taint tracking or reachability analysis. Free vets what enters your project; the paid engine analyzes the code you (and your agent) wrote.

Get started

Install the free agent-surface tools first and run an audit:

curl -fsSL https://dist.vulkro.com/install-live.sh | bash
vulkro-live audit

That one command sweeps your MCP servers, skills, instruction files, and network-reaching hooks. From there, warden, inspect, skillscan, memcheck, lock / drift, and cardcheck cover the individual surfaces, and vulkro-live mcp hands the checks to your agent directly.

See the Vulkro Labs hub for the full free-tool lineup, and the features page for the paid engine, including vulkro guard in your assistant's write loop.