agent-audit

agent-audit is an open-source security auditing tool for AI agent code. It focuses on practical security checks for modern agentic systems, including coverage aligned with OWASP Agentic Top 10 style risk categories, taint-style flow analysis, and MCP configuration auditing.

GitHub Repository | Star on GitHub | PyPI Package | Back to Open Source

If this project is useful in your workflow, please star the GitHub repository to help more practitioners discover it.

---

Why this project

AI agent pipelines combine LLM prompts, external tools, and runtime configuration. This expands the attack surface beyond traditional app code. agent-audit is designed to help teams catch high-risk patterns earlier in development and CI.

Core capabilities

• Security auditing for risk-relevant patterns in agent code.
• Taint-style analysis to identify risky data flow paths.
• Audit checks for MCP-related configuration issues.
• Rule coverage mapped to agent security risk categories.

Quick start

Install from PyPI:

pip install agent-audit

ClawHub deployment results (March 2026)

agent-audit was used on ClawHub scanner deployment to analyze the ecosystem at scale.

• Scanned 18,899 ClawHub skills end-to-end.
• Detected 13,947 total vulnerabilities, including 1,996 BLOCK-level critical findings.
• 7 new OpenClaw rules triggered 1,845 hits in total.
• Obfuscated shell command rule AGENT-058 triggered 1,034 times.
• Vulnerability rate: 46.6% for skills with scripts vs 16.8% for skills without scripts.