Local-first security scanner for AI agents and software supply chains, detecting prompt injection, MCP risks, tool poisoning, and compromised packages.
aguara is easy to set up with strong trust signals. Check agent compatibility and use-case fit before adding it to your workflow.
gh repo view garagon/aguara --webOpen the official repository or website.
Check the README for package manager, auth, and platform requirements.
Try it in a small test task inside your agent workflow.
Aguara scans your project's dependencies, lockfiles, CI workflows, and AI agent configurations for security threats before you run or install anything. It works entirely on your machine, no cloud or LLM calls, and supports many package ecosystems like npm, PyPI, Go, and Rust.
Aguara is a security scanner designed for modern software projects that rely on AI agents and complex supply chains. It checks trust points such as dependencies, lockfiles, install scripts, CI workflows, MCP (Model Context Protocol) configurations, and AI agent tools. The tool is local-first: no SaaS account, no telemetry, and no LLM calls. It supports multiple package ecosystems including npm, pnpm, yarn, PyPI, Go, Rust, PHP, Ruby, Java, and .NET. Aguara can detect prompt injection attacks, MCP server risks, tool poisoning, unsafe GitHub Actions, secret exfiltration, and compromised packages. It reads resolved lockfiles directly, so you can scan a project before running any install command. The tool is available via Homebrew, Docker, and pre-built binaries, with signed releases and SLSA provenance.
Strong trust signals; still review the README and permissions before production use.
Last commit was about 2 days ago.
82 GitHub stars indicate community interest.
4 open issues signal maintenance load.
Apache-2.0 license detected.
Scan a project's lockfiles for malicious dependencies before running npm install or pnpm install.
Audit CI/CD workflows for unsafe GitHub Actions or secret leaks.
Check MCP server configurations for prompt injection or tool poisoning risks.
Verify AI agent skills and tools for security vulnerabilities before integration.
Integrate into CI pipelines to automatically block supply-chain attacks.
82
Stars
15
Forks
4
Issues
Apache-2.0
License
A terminal dashboard to monitor AI coding agents like Claude Code and Codex CLI in real-time.
A bridge between Streamable HTTP and stdio MCP transports, enabling flexible MCP server connectivity.
A full-stack AI Red Teaming platform for securing AI ecosystems with comprehensive scanning and evaluation.
0 security/trust notes recorded.
Setup difficulty is 2/5.