Security Rules
AgentSec ships with 41 security rules covering the full spectrum of AI agent risks.
Severity levels
| Severity |
Meaning |
| Critical |
Immediate RCE, privilege escalation, or data exfiltration risk |
| High |
Significant attack surface expansion or supply-chain risk |
| Medium |
Misconfiguration that increases attack surface |
| Low |
Missing best practices or policy |
Rules reference
Shell execution
| Rule |
Severity |
Description |
| MCP shell execution |
Critical |
MCP server can execute shell commands |
| Insecure default command |
Critical |
Uses eval, exec, or dangerous command-line flags |
| Dynamic code execution |
Critical |
Agent or MCP server can dynamically evaluate code |
| Package manager execution |
High |
Invokes npx, uvx, pipx — packages can run install scripts |
Filesystem access
| Rule |
Severity |
Description |
| MCP filesystem write access |
Critical |
MCP server can write, edit, or delete files |
| Broad path access |
High |
Filesystem access to root (/) or home (~) |
| Read-only filesystem |
Medium |
Read-only access can still leak sensitive files |
| Network + filesystem access |
Critical |
Can both read/write files and make network requests (exfiltration) |
| Web + filesystem access |
High |
Can browse web and write files |
| Read repo + network |
High |
Can read repo files and send network requests |
Secrets & credentials
| Rule |
Severity |
Description |
| Secret exposure |
Critical |
Environment variables with API keys, tokens, secrets |
| Environment variable exposure |
Critical |
Config exposes env vars like AWS_, OPENAI_, GITHUB_ |
| Sensitive file reference |
High |
References .env, id_rsa, .ssh, credentials |
| Credential helper access |
High |
References credential stores or auth helpers |
| GitHub token exposure |
High |
GitHub token or actions:write permission detected |
Agent-specific risks
| Rule |
Severity |
Description |
| Claude Desktop MCP risks |
High |
Risky shell/filesystem/network in Claude Desktop config |
| Cursor agent dangerous permissions |
High |
Cursor agent with shell, write, or network access |
| Codex/Cline unrestricted tools |
High |
Unrestricted access to tools in Codex or Cline config |
| Browser automation + local files |
High |
Combines browser automation with local file access |
Prompt injection
| Rule |
Severity |
Description |
| Prompt injection risk |
Medium |
Instructions contain prompt injection phrases |
| Prompt injection in markdown |
Medium |
Markdown files with system-level directives |
| Suspicious tool description |
High |
Tool descriptions with instruction-like language |
| Missing input validation |
Medium |
Lacks input validation for injection prevention |
Access control
| Rule |
Severity |
Description |
| Docker socket access |
Critical |
MCP server can access the Docker socket |
| Container privileged mode |
Critical |
Container may run with elevated host privileges |
| Host mount exposure |
Critical |
Container mounts sensitive host directories |
| Wildcard tool allowlist |
High |
Allows all tools via * or allow_all |
| Excessive autonomy |
Medium |
Agent told to never ask for confirmation |
| MCP OAuth broad scopes |
Medium |
Overly broad OAuth scopes (*, admin) |
| No policy file |
Low |
No local security policy file defined |
Supply-chain
| Rule |
Severity |
Description |
| Remote script install |
High |
curl | bash or wget | sh pattern |
| Unpinned dependency |
Medium |
Dependency not pinned to a specific version |
| Vulnerable dependency pattern |
Medium |
Uses known vulnerable version patterns |
| Unknown/untrusted source |
Medium |
Package from raw.githubusercontent, gist, pastebin |
Communication
| Rule |
Severity |
Description |
| Communication tool write |
High |
Can send messages to Slack, email, GitHub (data leak) |
| Database write/delete |
High |
Can modify or delete database records |
| Telemetry endpoint |
Medium |
References telemetry or analytics endpoints |
Rule detection logic
Rules use content-based pattern matching. Each rule has a set of detect_patterns — substrings that trigger the finding.
For rules with all_patterns, ALL patterns must be present in the content (AND logic). For standard rules, ANY pattern triggers (OR logic).
How to add custom rules
Rules are defined in agentsec/rules/. To add a custom rule:
- Create a
Rule object with name, severity, description, recommendation, and patterns
- Register it in
load_additional_rules() in agentsec/rules/additional.py
See agentsec/rules/base.py for the Rule class definition.