Security scanner for AI agent skills, MCP servers, and plugins — right in your editor.
- Auto-scan on save — see security issues as red/yellow squiggles instantly
- Status bar score — always know your project's security score
- 31 security rules — backdoors, data exfil, prompt injection, and more
- Multi-language — JS/TS, Python, Go, Rust, Shell, YAML, JSON, Markdown
| Command | Description |
|---|---|
Agent Shield: Scan Current File |
Scan the active file |
Agent Shield: Scan Workspace |
Scan the entire workspace |
| Setting | Default | Description |
|---|---|---|
agentShield.autoScan |
true |
Auto-scan files on save |
agentShield.failUnder |
70 |
Score threshold for status bar warning |
agentShield.disabledRules |
[] |
Rules to disable |
The extension uses the @elliotllliu/agent-shield npm package under the hood. It runs the same 31 security rules as the CLI, including:
- 🔴 Backdoors —
eval(),exec(), reverse shells - 🔴 Data exfiltration — sensitive file reads + HTTP requests
- 🟡 Prompt injection — 55+ patterns in 8 languages
- 🟡 Tool shadowing — cross-server tool name conflicts
- 🟢 Supply chain — known CVEs, typosquatting
- 🆕 Python AST — taint tracking through data flow
- 🆕 Cross-file — multi-file attack chain detection
- Node.js 18+ (for running
npx) - VS Code 1.85+
cd vscode-extension
npm install
npm run compile
npx vsce package
code --install-extension agent-shield-0.1.0.vsixSearch for "AgentShield" in the VS Code Extensions panel.
MIT