AgentScore

Trust and reputation scoring for AI agents with ERC-8004 registry integration.

ai-ml
GitHub
0Tools
3Findings
0Stars
Mar 24, 2026Last Scanned
1 critical · 1 high · 1 low findings detected

Security Category Deep Dive

Prompt Injection
Prompt & context manipulation attacks
69
Maturity
14
Rules
5
Sub-Categories
1
Gaps
64%
Implemented
56
Tests
1
Stories
PI-DIRDirect Input Injection
100%3 rules
Injection via tool descriptions and parameter fields
GAP-001Prompt Injection Coverage GapMissing detection coverage for emerging prompt injection attack variants not addressed by current rules
PI-INDIndirect / Gateway Injection
100%4 rules
Hidden instructions via external content and tool responses
PI-CTXContext Manipulation
100%2 rules
Context window saturation and prior-approval exploitation
PI-ENCEncoding & Obfuscation
100%3 rules
Payload hiding via invisible chars, base64, schema fields
PI-TPLTemplate & Output Poisoning
100%2 rules
Injection via prompt templates and runtime tool output
Framework Coverage
OWASP MCP Top 1014/14
MITRE ATLAS14/14
CoSAI MCP2/14
OWASP Agentic Top 1012/14
Kill Chain Phases
0Initial Access
0Defense Evasion
0Execution
0Persistence

Findings3

1critical
1high
1low

Critical1

criticalQ13MCP Bridge Package Supply Chain AttackMCP10-supply-chainAML.T0054
Pattern "["']@modelcontextprotocol/sdk["']\s*:\s*["'](?:\^|~|\*|latest)" matched in source_code: ""@modelcontextprotocol/sdk": "^" (at position 1874)
MCP bridge packages (mcp-remote, mcp-proxy, @modelcontextprotocol/sdk, fastmcp) are high-value supply chain targets — CVE-2025-6514 (CVSS 9.6) in mcp-remote affected 437,000+ installs. Always pin exact versions (no ^ or ~ ranges). Use lockfiles (package-lock.json, pnpm-lock.yaml, uv.lock). Never run `npx mcp-remote` without version pinning. Verify package integrity with `npm audit` or `pip-audit` before deployment. Reference: CVE-2025-6514, OWASP ASI04.

High1

highQ15A2A/MCP Protocol Boundary ConfusionMCP06-excessive-permissionsAML.T0054
Pattern "(?:discover|register|advertise).*(?:agent|skill|capability)(?!.*(?:verify|auth|sign|trust))" matched in source_code: "registerBrowseAgents } from './tools/browse-agent" (at position 256)
Servers bridging A2A and MCP protocols must: (1) sanitize all A2A task metadata before passing to MCP tool inputs, (2) apply MCP content policies to A2A TextPart/FilePart/DataPart content, (3) validate A2A push notifications before they re-enter MCP context, (4) require cryptographic verification for agent discovery and registration (prevent fake agent advertisement — arXiv 2602.19555), (5) maintain separate permission models for A2A and MCP operations — trust in one protocol must not automatically grant trust in the other.

Low1

lowF4MCP Spec Non-ComplianceMCP07-insecure-config
Server fails MCP spec compliance checks: required:server_name; required:server_version; required:protocol_version; recommended:tool_descriptions; recommended:parameter_descriptions
Follow the MCP specification for server metadata. Include server name, version, and protocol version. Provide descriptions for all tools and parameters.