Secure everything your AI agent trusts.
Adopting an AI coding agent means adopting everything the agent trusts. Claude Code, Cursor, Windsurf, and the rest do not just run the code you write: they read and act on a surface of inputs you almost certainly never reviewed, and it widens with every server, skill, and session you add:
- The MCP servers you added, and every tool description they expose.
- The skills, slash-commands, and subagents in your config, which carry executable bodies, not just prose.
- The agent's long-term memory, where an injected "fact" can steer every future session.
- The rules, instruction files, and hooks the agent reads on startup.
- The A2A agent cards it uses to decide whether to trust a peer.
- The results tools hand back, which the model reads as if they were trustworthy.
Each of these is an instruction channel into a model that acts on your machine. Prompt injection, tool poisoning, indirect injection via tool results, poisoned memory, MCP rug pulls, and malicious skills are the recurring failure shapes: the same list OWASP's work on securing LLM and agentic applications now enumerates. None of them show up in a normal dependency scan, because the payload is not a CVE. It is text your agent was told to trust.
Vulkro checks that whole surface. The free, open-source Vulkro Labs tools do the inspection and auditing. The paid engine adds an in-loop guard that watches your assistant as it writes.
Where this sits in the lifecycle
Vulkro's spine is the pre-deploy lifecycle: as-you-code, pre-commit, PR / CI, pre-deploy gate. Agent security is the front edge of the as-you-code stage: it vets what enters your agent's context before the agent acts on it, and it watches what the agent writes while it writes.
Two products own this page:
- The free, open-source Vulkro Labs tools
(
vulkro-live) own the vetting: MCP servers, skills, memory, configs, agent cards, tool results, and packages, checked before or as they enter the agent's world. - The paid Vulkro engine owns the in-loop depth:
vulkro guardin the assistant's write loop, plus the MCP server source and host-config audits.
MCP servers and their tools
When you add an MCP server, you inherit every tool description it ships, and your model reads those descriptions as instructions. Two free commands cover this:
# Before you add it: is this MCP server safe?
vulkro-live inspect 'npx -y @scope/server-x'
# The bouncer: scan the server's tool manifest
vulkro-live warden tools.json
inspect resolves the server's backing package, verifies it, and
returns a plain GREEN / REVIEW / AVOID verdict so the "should I add
this" decision is a one-liner. warden is the MCP and agent-tool
bouncer: point it at a tool manifest (a tools/list result) and it
scans the descriptions for prompt injection, tool poisoning, tool
shadowing, hidden unicode, and risky capabilities.
See the MCP server page for the developer-side view (scanning the MCP server source you are writing).
Skills and commands
Skills, slash-commands, and subagents are not just descriptions. They carry an executable body that runs with your agent's permissions. Reviewing the prose and skipping the body is how a malicious skill gets in.
vulkro-live skillscan ~/.claude
skillscan scans the executable body of your skills, slash-commands,
and subagents, not only their front-matter and description text.
Agent memory
Long-term agent memory is a persistence channel. An attacker who lands one poisoned "fact" (an instruction phrased as a remembered preference, or a stored note that runs a command) gets to steer every session that reads that memory afterward.
vulkro-live memcheck
memcheck scans an AI agent's stored long-term memory for
poisoning: an injected entry designed to run a command or bias every
future session.
Agent config and hooks
Your agent reads rules, instruction files, and configured MCP
servers on startup, and some hooks reach the network. Auditing them
one at a time does not scale, so audit does the whole surface in
one pass.
vulkro-live audit
audit covers your entire agent surface at once: every configured
MCP server, plus the rules, skills, and instruction files an agent
reads, plus network-reaching hooks. It is the "one command, whole
surface" entry point when you do not yet know where the risk is.
To catch an MCP rug pull (a server that ships a clean manifest, then quietly changes it) two more free commands pin and diff the manifest:
# Fingerprint the current tool manifest
vulkro-live lock tools.json
# Later: report a field-level diff against the lock
vulkro-live drift tools.json
lock fingerprints the current tool manifest. drift reports a
field-level diff: a dropped readOnlyHint, a description that gained
an injection phrase, a tool that changed shape since you approved it.
A2A agent cards
When your agent trusts a peer through an A2A agent card, that card
is another untrusted input. cardcheck vets it before your agent
acts on it.
vulkro-live cardcheck agent-card.json
cardcheck checks identity and domain match, looks for injection
over the card's text fields, flags confusable names, and gives an
honest signature-presence report. Be clear on the limit here: it
reports whether a signature is present, it does not verify the
signature cryptographically, and it never claims to.
Tool results and indirect injection
The most easily overlooked channel is the result a tool returns. Your agent reads that text as trustworthy, so a web page, a file, or an upstream API can plant instructions the model then follows. That is indirect prompt injection.
# Scan a returned tool result (file, or pipe it on stdin)
vulkro-live warden --result page.txt
cat result.txt | vulkro-live warden --result
warden --result runs against untrusted text (a tool result, a
fetched page, a file the agent read) as well as a tool manifest, so
the text coming back into your agent gets the same
prompt-injection and hidden-unicode check as the tool that produced
it.
Packages, because agents install them too
Agents pull in dependencies as readily as they call tools, so package safety belongs on the same surface:
vulkro-live verify --manifest package.json # package safety
vulkro-live foresee . # map the traps before you install
Give your agent the tools directly
Vulkro Labs ships a built-in MCP server, so your agent can call the checks itself instead of you running them by hand:
vulkro-live mcp
This exposes verify and warden to your agent directly, so a
suspicious package, tool manifest, or tool result can be vetted
mid-session.
Free tools, and the in-loop guard in the paid engine
Everything above is the free, open-source, keyless Vulkro Labs
CLI (vulkro-live). The tools are MIT or Apache-2.0 licensed and
run on your machine; the only thing that ever leaves it is public
metadata (package names, versions, tool manifests), never your
source code.
curl -fsSL https://dist.vulkro.com/install-live.sh | bash
The paid Vulkro engine is a separate download and adds the piece
the free tools do not: an in-loop guard that runs while the agent
writes. The engine requires an account; a 14-day trial of the
full product starts on your first vulkro login, and licenses
are issued per seat, directly by our team.
curl -fsSL https://dist.vulkro.com/install.sh | bash
vulkro login
vulkro guard runs inside your AI assistant's write loop (Claude
Code, Cursor, and Windsurf hooks), checks each file as it is written,
and feeds serious findings back so the assistant fixes the problem
before the file lands. It is offline and per-file fast. The engine
also carries MCP-server-source and MCP-host-config audits and
RAG-indexing-safety detectors.
The distinction matters and stays exact: the Labs tools
(vulkro-live) are the open-source, on-your-machine agent-surface
checks. The Vulkro engine is closed, licensed, and uses no AI. What
you pay for is detection depth and the in-loop guard, not a cloud
service and not a model call.
Where the boundaries are
Honesty about what these checks are, so a clean result means what you think it means:
- A GREEN verdict is a screen, not a guarantee. The checks are deterministic pattern and structure analysis over text surfaces (descriptions, manifests, bodies, memory entries). A payload crafted to evade a specific check can evade it. Run the checks, keep your judgement.
cardcheckreports signature presence only. It tells you whether an A2A card carries a signature; it does not verify the signature cryptographically, and it never claims to.- No runtime interception. These tools inspect artifacts before
and after the fact. They do not sit inside your agent's network
traffic or sandbox its process.
vulkro guardis the closest to the loop, and it checks files as they are written, not model calls in flight. - The deep analysis lives in the paid engine. The free tools deliberately carry none of the closed engine's cross-file taint tracking or reachability analysis. Free vets what enters your project; the paid engine analyzes the code you (and your agent) wrote.
Get started
Install the free agent-surface tools first and run an audit:
curl -fsSL https://dist.vulkro.com/install-live.sh | bash
vulkro-live audit
That one command sweeps your MCP servers, skills, instruction files,
and network-reaching hooks. From there, warden, inspect,
skillscan, memcheck, lock / drift, and cardcheck cover the
individual surfaces, and vulkro-live mcp hands the checks to your
agent directly.
See the Vulkro Labs hub for the full free-tool lineup, and
the features page for the paid engine, including
vulkro guard in your assistant's write loop.