Audited on 500+ open-source agents · 20+ frameworks · Open source

The security scanner for AI agents

Scan Microsoft, Google ADK, Python, LangChain, CrewAI, MCP servers, Skills and 20+ frameworks for agent-specific vulnerabilities — in 60 seconds.

Start free — no credit card See what you'll get

Free forever for up to 5 scans/month. CLI + MCP server open source (Apache 2.0).

Inkog Verify — scan completeCRITICAL

CRITICALCWE-74 · OWASP LLM01

Prompt Injection

agent/chains.py:42

Untrusted user input flows directly into the LLM prompt. An attacker can inject instructions to override the agent or exfiltrate data.

vulnerable

prompt = f"Answer this query: {user_input}"
response = llm.invoke(prompt)

fix

prompt = TEMPLATE.format(query=sanitize(user_input))
response = llm.invoke(prompt)

Maps toEU AI Act Art. 15NIST AI RMFCWE-74

ScannedDamnVulnerableLLMProject·2.3s·5 more findings

Built for the modern AI stack

One scanner. Every framework.

Google ADK

Microsoft

Anthropic

LlamaIndex

HuggingFace

Google ADK

Microsoft

Anthropic

LlamaIndex

HuggingFace

View all 15+ supported integrations

What Inkog finds in your agent logic

Prompt InjectionCRITICAL

Unsanitized user input reaching LLM prompts

Missing Human OversightHIGH

Autonomous actions without approval gates

Tool MisuseHIGH

Unrestricted tool access or dangerous system calls

Token BombingHIGH

Unbounded token consumption without rate limits

SQL Injection via LLMMEDIUM

LLM-generated queries reaching databases unsanitized

Infinite LoopsMEDIUM

Missing exit conditions in agent retry/delegation chains

Full vulnerability database — updated weekly

Three commands. Full security audit.

Install

Scan

Ship with confidence

Get severity-ranked findings, compliance mapping, and remediation guidance.

Or use our MCP server inClaude &Cursor

New · MCP server

Build secure AI agents with Claude, Cursor, and Claude Code

Connect the Inkog MCP server and ask your AI assistant to scan, explain, and fix agent security issues — without ever leaving the conversation.

Scan during development

"Scan this agent for security issues." Findings come back in the same chat.

Explain & fix in-flow

"Explain this finding and apply the fix." No tab switching, no CLI.

Verify governance

"Does my AGENTS.md match the code?" Only Inkog answers this.

Install the MCP server

Every finding mapped to compliance

Inkog doesn't just find vulnerabilities — it tells you which regulation they violate and what to fix.

EU AI ActArticle 14 human oversight, Article 15 robustness, Article 12 loggingThe articles your auditor will ask about — mapped automatically.

OWASP LLM Top 10LLM01 Prompt Injection through LLM10 Model TheftAll 10 risk categories covered across every framework.

NIST AI RMFGovern, Map, Measure, Manage functionsRisk identification aligned to the four NIST AI RMF functions.

ISO 42001AI management system controlsMap findings to the international standard for AI governance.

Research Report

State of AI Agent Security 2026

The largest security analysis of the AI agent ecosystem. 500+ open-source projects scanned. Free download.

Download the report

New

Agent Capability Surface

One score, three layers, every gap mapped to a regulation. The first inventory that tells you what your agents can do, what your AGENTS.md says they should do, and where the controls are missing.

CANcapabilities

Every tool, MCP server, delegation, memory access, and credential the agent can reach. Extracted by the Universal IR across 15 frameworks.

SHOULDdeclarations

Every line of AGENTS.md, parsed across YAML front matter, markdown sections, and inline annotations into typed declarations.

ENFORCEDcontrols

Every control wired in code: human approval, authorization, audit log, rate limit, cycle guard, sanitizer. Indexed against the capability it protects.

91/100

Governance Score

Microsoft AutoGen

multi-agent framework, scanned at HEAD

4 agents, 18 tools, 3 high-severity gaps

See how the score is computed

What you'll see in 60 seconds

Paste a GitHub URL or upload a zip. No install, no config. Here's what comes back.

DamnVulnerableLLMProjectCore + Deep

Risk Score/100

3 High · 1 Med · 2 Low

Unvalidated Code Execution in Agent ToolHIGH90%

Agent tool executes code via eval/exec where input can be influenced by LLM output or prompt injection.

19-output = subprocess.check_output(command, shell=True)

19+output = subprocess.check_output(shlex.split(command), shell=False)

process.py:19·CWE-94CWE-95

Missing Human OversightHIGH

Destructive tool (database write) fires without approval gate

agent/tools.py:45

Recursive Tool CallingHIGH

Tool chain fans out without bounded iteration limit

agent/graph.py:23

Prompt Injection SinkMEDIUM

RAG output flows into system prompt without sanitization

agent/chains.py:67

EU AI Act Art. 14: Human OversightEU AI Act Art. 15: RobustnessLLM02: Insecure Output HandlingNIST AI RMF: Measure

Try it on your agent — free

Latest from Labs

Security research, vulnerability disclosures, and technical deep-dives from the Inkog team.

6 min read·May 16, 2026

Introducing Agent Capability Surface: See Exactly What Your AI Agents Can Do

A capability map for every agent in your codebase. What tools they invoke, what gaps exist between their declared scope and their wired controls, and a graduated governance score that maps to the EU AI Act, NIST AI RMF, ISO 42001, and OWASP LLM Top 10. Validated on Microsoft AutoGen and 13 other production agent repositories.

11 min read·May 16, 2026

EU Machinery Regulation 2023/1230: AI Compliance Before January 2027

Regulation (EU) 2023/1230 applies January 20, 2027 and pulls AI safety components into a third-party conformity-assessment regime. What it demands in code, who falls under it, and how the rules overlap with the EU AI Act.

13 min read·May 9, 2026

The AGENTS.md Supply Chain Attack: How a Malicious MCP Server Hijacks a Claude Code Session

A reproducible proof-of-concept: a tampered AGENTS.md and a malicious MCP server combine into a zero-click session hijack that exfiltrates .env secrets through an AI coding agent. Why classical SAST misses it, and how declares-vs-does verification stops it.

All research & articles

Start scanning in 60 seconds

Free · No setup required · Instant results

Start Scanning Now

30 min · Live Deep Scan on your code · Walkthrough of every finding