AI agents have full system access -- read files, execute commands, access credentials -- with zero review process. We scanned 53,577 MCP skills across 3 registries. 946 flagged with threats. Credential harvesting. Reverse shells. Prompt injection. Live numbers.
AI Agent 擁有完整系統權限,卻沒有任何審核。我們掃描了 3 大平台共 53,577 個 MCP skills,946 個被標記有威脅。即時數據見 panguard.ai。
Proof points: Cisco AI Defense merged 34 ATR rules | OWASP Agentic Top 10 PR #814 | 23,000+ npm downloads
npm install -g @panguard-ai/panguard && pga upOne command. Auto-detects your AI platforms, wraps every MCP server with a security proxy, scans all skills, starts 24/7 monitoring with real-time dashboard.
一行搞定。自動偵測 platform、注入 runtime proxy、掃描所有 skills、啟動 24/7 monitoring + dashboard。
# Or scan a specific file
pga scan skill.md # auto-detects MCP JSON vs SKILL.md
pga scan skill.md --sarif # SARIF output for CI integration16 platforms: Claude Code, Claude Desktop, Cursor, OpenClaw, Codex, WorkBuddy, NemoClaw, ArkClaw, Windsurf, QClaw, Cline, VS Code Copilot, Zed, Gemini CLI, Continue, Roo Code
| Method | Command |
|---|---|
| npm (recommended) | npm install -g @panguard-ai/panguard && pga up |
| curl (no Node required) | curl -fsSL https://get.panguard.ai | bash |
| Homebrew (macOS) | brew install panguard-ai/tap/panguard && pga up |
Or scan online at panguard.ai -- paste a GitHub URL, get a report in 3 seconds.
More screenshots
pga up
|
v
Detect AI platforms (16 supported) → Inject MCP proxy on all servers
|
v
Every tool call → ATR evaluation (100 rules) → ALLOW / DENY
| |
v v
Dashboard (real-time) Threat Cloud (flywheel)
| |
v v
Blocked call → alert in dashboard 3+ confirmations → new ATR rule
|
v
Rule pushed to ALL users < 1 hour
One person encounters a threat. It becomes a rule. It protects everyone. That's the flywheel.
| Layer | Engine | Latency | Cost |
|---|---|---|---|
| 1 | 100 ATR regex rules | < 50ms | $0 |
| 2 | Local AI (Ollama) | ~ 2s | $0 |
| 3 | Cloud AI (Claude / OpenAI) | ~ 5s | ~$0.008 |
Internet down? Rules + local AI keep running. Cloud down? Same. Everything degrades gracefully.
pga up automatically wraps every MCP server with a security proxy. Every tool call passes through 100 ATR rules before reaching the real server. Malicious calls are blocked instantly. Results stream to the dashboard in real-time.
Agent ←→ [PanGuard Proxy] ←→ Real MCP Server
↓ ATR eval
ALLOW / DENY
We scanned the two largest MCP skill registries.
| Count | |
|---|---|
| Skills scanned | 36,394 |
| Clean | 26,718 (73.39%) |
| CRITICAL | 182 |
| HIGH | 1,124 |
| MEDIUM | 1,016 |
Raw data: ecosystem-report.csv (open source)
Research paper: The Collapse of Trust: Security Architecture for the Age of Autonomous AI Agents (Zenodo, DOI: 10.5281/zenodo.19178002)
ATR is not a competing standard. It is the detection layer that makes standards enforceable.
| Layer | What it does | Project |
|---|---|---|
| Standards | Define threat categories | SAFE-MCP (OpenSSF, $12.5M) |
| Taxonomy | Enumerate attack surfaces | OWASP Agentic Top 10 |
| Detection | Match threats in real time | ATR -- 100 rules |
| Enforcement | Scan, monitor, block, report | PanGuard (this project) |
- OWASP Agentic Top 10: 10/10 categories covered (mapping)
- SAFE-MCP techniques: 91.8% covered (mapping)
PanGuard is free and open source for individual developers. For organizations running AI agents at scale:
Policy Engine -- Define what your agents can and cannot do. Enforce across teams.
# panguard-policy.yaml
rules:
- block_severity: CRITICAL
- allow_network: ['internal.corp.com', 'api.openai.com']
- deny_filesystem: ['/etc/shadow', '~/.ssh/*', '~/.aws/*']
- require_scan_before_install: trueCompliance Reporting -- Map every scan to SOC 2, ISO 27001, or Taiwan Cyber Security Act (TCSA) controls. Generate audit-ready PDF reports.
Air-gapped Deployment -- Run entirely on-premise. No data leaves your network. ATR rules update via signed bundles.
Dashboard -- Real-time threat visibility across all agents, all teams, one pane of glass.
Enterprise inquiry: hello@panguard.ai
panguard-ai/
packages/
panguard/ CLI: 28 commands, 16 platform auto-detect
panguard-guard/ 24/7 monitoring + real-time dashboard + Threat Cloud sync
panguard-mcp-proxy/ MCP Proxy: runtime interception for all AI agent tool calls
panguard-skill-auditor/ 6-check security gate for every skill
panguard-mcp/ MCP server: 11+ tools for AI assistants
atr/ Agent Threat Rules: 100 rules, 9 categories
threat-cloud/ Community threat intel server + LLM review
scan-core/ Shared scan engine: regex + context signals
core/ AI adapters, validation, logging
website/ Next.js marketing site + online scanner
| Language | TypeScript 5.7 (strict mode) |
| Runtime | Node.js 20+ |
| Monorepo | pnpm workspaces |
| AI | Ollama (local) + Claude / OpenAI (cloud) |
| Website | Next.js 15 + Vercel |
- Scan your skills -- Highest impact. Every scan strengthens Threat Cloud.
- Write detection rules -- See ATR contribution guide.
- Report vulnerabilities -- Open a security advisory.
- Submit code -- Fork, branch, test, PR. See CONTRIBUTING.md.
MIT -- 100% free. 100% open source. No telemetry by default. No vendor lock-in.
If AI agents can act on your behalf, someone should check what they're about to do.
Panguard AI -- Taipei, TaiwanWebsite · Online Scanner · ATR Standard · Ecosystem Report · Documentation