Releases: ShadowStackRe/ShadowStackAI
Release list
ShadowStack v0.1
ShadowStack v0.1.0
Discovery & risk analytics for shadow-AI infrastructure.
First public release. ShadowStack inventories the AI-agent attack surface on your hosts — MCP servers, Claude skills & sub-agents, Cursor/Windsurf/Cline rules, and live MCP processes — scores each target, and maps every finding to MITRE ATT&CK and the OWASP LLM Top 10. Results render for a human or stream straight into a SIEM, a code-scanning dashboard, or an AI agent tasked with remediation.
It ships as a single, statically-linked binary with zero runtime dependencies — drop it on any x86-64 Linux box and run it.
Highlights
- Two scan engines in one binary:
--protocol mcp— network discovery of MCP servers (JSON-RPCinitialize, enumerates tools/resources/prompts, captures TLS + HTTP banners) across CIDRs, hosts, and DNS names.--protocol skills— filesystem audit of Claude skills, sub-agents, slash commands,CLAUDE.md/AGENTS.md, Cursor/Windsurf/Cline rules, MCP client configs and hooks — plus a live/procinventory of running stdio MCP servers (Linux).
- Severity + risk scoring — every finding is High/Medium/Low; targets are ranked by a weighted score (
10·H + 4·M + 1·L) intonone/low/medium/high/criticalbands. - MITRE ATT&CK / OWASP LLM Top 10 (2025) mapping + remediation guidance on every finding, carried through all output formats.
- Five output formats —
ascii(human),json(full inventory + risk + findings), and findings-onlyndjson(SIEM),sarif2.1.0 (GitHub code-scanning), andcsv(triage). - Stable finding identity — derived rule IDs (
SS-MCP-…/SS-SKL-…) and dedup fingerprints enable diffing across scans. - Built for recurring/automated use — baseline/delta mode, CI exit gating, allow-list suppression, version-controllable scan profiles, resumable sweeps, and pipe-safe stdout/stderr separation.
Features
Discovery
- MCP over both Streamable-HTTP and SSE transports; protocol-version negotiation (
2025-06-18→2024-11-05). - HTTP and TLS (TLS captured as evidence — self-signed/expired/internal certs become findings, not connection errors).
GET /.well-known/mcpdiscovery docs;401+WWW-Authenticate: Bearerhosts surfaced as suspected (auth-gated) MCP servers.- Flexible targeting: repeatable/comma-separated
--target(alias--cidr) taking any mix of CIDRs, IPv4s, and DNS names;--targets-filescope lists; merged + de-duplicated. - Live process inventory (Linux
/proc): npx@modelcontextprotocol/*,uvx/pipx/bunxrunners,python -m mcp_server_*,mcp-server/mcp-proxybinaries, node/bun/deno scripts.
Rules & analytics
- MCP rules: transport, TLS, auth/Origin, identity, capabilities, instructions, tools, resources/templates, prompts, banners, suspected auth-gated hosts, and multi-signal correlations (rug-pull, exfil/RCE chains, cross-server tool shadowing).
- Skills rules: file metadata, frontmatter, tool-grant/auto-approve directives, content (URLs/IPs/scripts/commands/keywords), concealment detection (zero-width/bidi/Unicode-tag/ANSI/base64), hooks, MCP config, live process, and generic/linux/windows TTP correlations.
- Per-target weighted risk ranking shared by the ASCII and JSON renderers.
Operations
--baseline <prior-report>— emit only findings new since a prior scan (format-agnostic).--fail-on <high|medium|low>— exit code2for CI/CD gating.--allow-list <file>— suppress accepted findings (category/target globs); suppressed count still reported.--config <profile.toml>— pin flags into a version-controllable profile (CLI flag > profile > default).--resume <file>— restartable, identity-pinned CIDR sweeps (MCP).--max-duration/--per-host-delay/--connect-retries/--connect-backoff— politeness & resilience knobs.-v/-qleveled logging to stderr; report stays clean on stdout.
Install
Download the static binary for x86-64 Linux, verify the checksum, and run:
# download (replace <tag-url> with this release's asset URL)
curl -LO <tag-url>/shadowstack-0.1.0-x86_64-linux
curl -LO <tag-url>/shadowstack-0.1.0-x86_64-linux.sha256
# verify
sha256sum -c shadowstack-0.1.0-x86_64-linux.sha256
# install
chmod +x shadowstack-0.1.0-x86_64-linux
sudo mv shadowstack-0.1.0-x86_64-linux /usr/local/bin/shadowstack
shadowstack --helpThe binary is statically linked (musl) — no glibc or OpenSSL required, runs on any x86-64 Linux distribution.
Quick start
# Discover MCP servers on a /24
shadowstack --protocol mcp --target 192.168.1.0/24
# Audit the local AI surface as JSON
shadowstack --protocol skills --format json --output skills.json
# CI gate: fail on any High finding, emit SARIF for code-scanning
shadowstack -p skills --fail-on high -f sarif -o results.sarifSupported platforms
- x86-64 Linux — prebuilt static binary (this release).
- The live process inventory (
/proc) is Linux-only; all other functionality is portable and the codebase builds on other targets from source.
Known limitations
- Discovery targets IPv4 (CIDR/host/DNS→IPv4). IPv6 ranges are not yet enumerated.
- Live MCP process inventory requires Linux
/proc; on other OSes the process list is empty (the rest of the scan is unaffected).
License
Apache License 2.0. See LICENSE.