This is the reference for all issues that can be detected via snyk-agent-scan.
Issues are identified security threats that result in compromised MCP servers or skills, and should be addressed as soon as possible.
Detected a prompt injection in the tool description. The tool should be deactivated immediately.
This is a form of tool poisoning where a malicious MCP server embeds hidden adversarial instructions inside its tool descriptions to hijack the agent. Unlike E003, which detects overt behavioral directives, E001 targets deceptive injections that are designed to be invisible to the user.
A tool from one MCP server references a tool belonging to a different server. MCP servers should be self-contained, when a server's tool description mentions tools from another server, it can poison the behavior of those trusted tools.
This is a tool shadowing attack, where a malicious server overrides or interferes with the behavior of a legitimate tool from another server.
The tool description contains overt instructions that attempt to hijack the agent into performing a set of potentially dangerous actions. Tools should be at the disposal of the agent and should not provide it with directives.
Unlike E001, which targets hidden adversarial injections, E003 detects tool descriptions that go beyond describing the tool's functionality and instead try to force the agent into specific behaviors — for example, instructing it to always call certain tools, avoid safety checks, or perform actions unrelated to the tool's stated purpose. These directives may not be hidden, but are still dangerous because they override the agent's autonomy.
Detected a prompt injection in the skill instructions. The skill contains hidden or deceptive instructions that fall outside its stated purpose and attempt to override the agent's safety guidelines or intended behavior.
Detected a suspicious URL in the skill instructions that could lead the agent to download and execute malicious scripts or binaries. This includes links to executables from untrusted sources, typosquatting of official packages, URL shorteners that obscure the destination, and personal file hosting services.
Such links pose a significant risk as they indicate that Agent Scan cannot verify the full behavior of a skill (analysis is limited to the skill's own content, not externally referenced dependencies).
Detected high-risk code patterns in the skill content — including its prompts, tool definitions, and resources — such as data exfiltration, backdoors, remote code execution, credential theft, system compromise, supply chain attacks, and obfuscation techniques.
Warnings are potential security threats. They do not necessarily indicate a security issue, but should be investigated.
The tool description contains words commonly associated with prompt injection attempts, such as "important" or "crucial". These words are often used in tool poisoning attacks to draw the agent's attention and override its normal decision-making process.
While the presence of these words alone does not confirm malicious intent, it is a signal worth investigating, especially when combined with unusual tool descriptions.
The server exposes more than 100 entities (tools, resources, and prompts combined). Agent performance is expected to degrade when too many tools are available, as the agent's context becomes cluttered and tool selection becomes unreliable. A large number of entities also increases the attack surface.
The skill handles credentials insecurely by requiring the agent to include secret values verbatim in its generated output. This exposes credentials in the agent's context and conversation history, creating a risk of data exfiltration.
Detected sensitive credentials directly embedded within the skill content, such as API keys, access tokens, private keys, or service-specific secrets. Secrets should never be hardcoded in plain text within skill instructions.
The skill is specifically designed for direct financial operations, giving the agent the ability to move money or execute financial transactions — such as payment processing, cryptocurrency operations, banking integrations, or market order execution.
The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.
The skill fetches instructions or code from an external URL at runtime, and the fetched content directly controls the agent's prompts or executes code. This dynamic dependency allows the external source to modify the agent's behavior without any changes to the skill itself.
Some skills implement this behavior to enable auto-update mechanisms, however, it allows skills authors to change skill instructions at any point in time, disabling any form of version pinning and allowing for potential remote instruction changes (RCE risk).
The skill prompts the agent to compromise the security or integrity of the user's machine by modifying system-level services or configurations, such as obtaining elevated privileges, altering startup scripts, or changing system-wide settings. This may be legitimate in rare cases, but should be investigated.
A toxic flow is a threat that arises when multiple tools (that are benign individually) can be used in combination by an attacker in a malicious way.
For each tool, Agent Scan classifies whether it can act as an untrusted content source (returns data from external or user-controlled sources), a private data accessor (exposes sensitive user data), a public sink (sends data to external or public destinations), or a destructive action (performs irreversible operations). Toxic flows are then detected when dangerous combinations of these classifications exist within the same agent.
A Data Leak Toxic Flow allows an attacker to exfiltrate private data from the user through the agent. This flow requires three components to be present across the agent's available tools:
- An untrusted content tool: A tool whose output could be malicious, such as fetching information from a webpage set up by an attacker.
- A private data tool: A tool that exposes private data to the agent, such as reading files from the user's machine or querying a database.
- A public sink tool: A tool that the agent can use to send information to external parties, such as sending a message on WhatsApp, posting to a public repository, or making an HTTP request.
The attack works as follows: the agent uses the untrusted content tool for an unrelated user task. The tool's output contains a prompt injection that compromises the agent. The compromised agent then uses the private data tool to access sensitive information, and finally leaks it through the public sink tool.
Note: A single tool may act as untrusted content, private data, and public sink simultaneously.
A Destructive Toxic Flow allows an attacker to cause irreversible damage through the agent. This flow requires two components:
- An untrusted content tool: A tool whose output could be malicious, such as fetching information from a webpage set up by an attacker.
- A destructive tool: An irreversible tool that can cause permanent damage, such as deleting files, sending money, or modifying critical system state.
The attack works as follows: the agent uses the untrusted content tool for an unrelated user task. The tool's output contains a prompt injection that compromises the agent. The compromised agent then uses the destructive tool to cause irreversible damage to the environment.
Note: A single tool may act as untrusted content and destructive simultaneously.
System codes indicate scanner status information, configuration issues, or analysis limitations. These are not security threats but may affect the quality of the scan.
Agent Scan could not determine the identity of this MCP server in terms of matching to a package manager or registry. This typically indicates custom, homebrew or non-standard server implementations that are not published via Docker/PyPI/NPM/etc which can be a risk.
The MCP server was identified but is not present in Agent Scan's registry of known servers. Security analysis is applied to the server as best as possible, but it is not as thorough as for servers that are in the registry.
The tool was not found in Agent Scan's registry, even though the server it belongs to is registered. This may indicate that the tool was recently added, renamed, or is not part of the server's expected toolset. It could also indicate a rug pull attack where a server has been modified after initial registration.
Agent Scan was unable to start the MCP server to retrieve its tools and descriptions. This may happen when the server binary is missing, dependencies like docker or NPM are not installed, or the server configuration is incorrect. Security analysis may still be available if the server identity can be determined and looked up in the registry.
The backend of snyk-agent-scan could not be reached. This might happen when:
- The
snyk-agent-scanbackend is down. - You manually selected the backend using the
--base-urlflag, and the backend you selected cannot be reached. - There is no connection to the internet.
(deprecated) The tool has been whitelisted. It will now show in green even if issues are detected.