CLI Scanner

Scan Local & Private Agents

Run security scans on MCP servers and AI agents behind firewalls, on localhost, or in private networks. Differential analysis with detailed risk reports.

Quick Start

Run the Scanner

npx kurral-scanner http://localhost:8000

Requires Node.js 18+. Point to your MCP server's URL. No installation needed.

Watch the Analysis

Testing prompt_override... 8 probes Testing system_prompt_leak... 4 probes Testing data_exfil... 6 probes Analyzing responses...

The scanner sends attack probes and uses differential analysis to detect suspicious behavior.

Review Risk Signals

The scanner generates a detailed report with:

Risk level assessment (Critical → Minimal)
Risk signals with confidence levels
What was observed vs. what needs validation
JSON export for CI/CD integration

Command Reference

npx kurral-scanner <url>

Run a full security scan against an MCP server

npx kurral-scanner <url> --output report.json

Save results to a JSON file for CI/CD integration

npx kurral-scanner <url> --category prompt_override

Test only specific risk categories

npx kurral-scanner <url> --verbose

Show detailed output including all probes and responses

npx kurral-scanner --help

Show all available options

Risk Categories

The scanner tests for these risk categories using differential analysis:

Prompt Override

critical

Instruction hijacking, jailbreaks, role manipulation attempts

System Prompt Leak

critical

Exposure of hidden instructions, system prompts, or configuration

Data Exfiltration

high

Attempts to extract data via tool calls or external requests

Secret Exposure

high

API keys, tokens, credentials appearing in responses

Injection Passthrough

medium

Unsafe content passed to tool calls (SQL, command, path)

PII Exposure

medium

Personal identifiable information in responses

Need Help?

Questions about the CLI scanner or need help integrating into your CI/CD pipeline?

Contact team@kurral.com