AI Scanner
Scan codebases for LLM/AI SDK usage, exposed API tokens, and hardcoded secrets.
Install
$ agentstack add mcp-aakashbhardwaj27-ai-scanner-mcp ✓ scanned · ✓ verified — works with Claude Code, Cursor, and more.
Security review
✓ PassedNo issues found. Passed automated security review. · v1.0.2 How review works →
- ✓ Prompt-injection patterns
- ✓ Secret / credential exfiltration
- ✓ Dangerous shell & filesystem operations
- ✓ Untrusted network calls
- ✓ Known-malicious package signatures
About
ai-scanner-mcp
MCP server for ai-scanner - let AI agents scan codebases for LLM usage, AI frameworks, and exposed secrets.
An MCP server that exposes ai-scanner as tools for AI agents. Works with Claude Code, Claude Desktop, Cursor, Windsurf, and any MCP-compatible client.
Tools
| Tool | Description | |---|---| | scan_directory | Full scan — LLM SDKs, AI frameworks, exposed tokens, and hardcoded secrets with severity levels | | check_secrets | Security check — pass/fail scan for exposed credentials only. Perfect for pre-commit checks | | ai_inventory | AI stack overview — which SDKs, frameworks, models, and API endpoints are used (no secret detection) |
Setup
Claude Code
claude mcp add ai-scanner npx ai-scanner-mcpClaude Desktop
Add to your claude_desktop_config.json:
{
"mcpServers": {
"ai-scanner": {
"command": "npx",
"args": ["ai-scanner-mcp"]
}
}
}Config file location:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json
Cursor
Add to .cursor/mcp.json in your project:
{
"mcpServers": {
"ai-scanner": {
"command": "npx",
"args": ["ai-scanner-mcp"]
}
}
}Windsurf
Add to ~/.windsurf/mcp.json:
{
"mcpServers": {
"ai-scanner": {
"command": "npx",
"args": ["ai-scanner-mcp"]
}
}
}Example Usage
Once connected, you can ask your AI agent:
- "Scan this project for any exposed API keys"
- "Check if there are any hardcoded secrets before I commit"
- "What AI SDKs and frameworks does this codebase use?"
- "Run a security scan on ./src and tell me if it's safe to push"
- "Give me an AI inventory of this project"
Tool Details
scan_directory
Full scan with all detection categories. Parameters:
| Parameter | Type | Default | Description | |---|---|---|---| | directory | string | required | Path to scan | | ai_only | boolean | false | Skip generic secrets (Stripe, GitHub, etc.) | | scan_env | boolean | false | Include .env files | | include_endpoints | boolean | true | Detect LLM API endpoint URLs | | include_models | boolean | true | Detect model name references |
check_secrets
Security-focused pass/fail check. Parameters:
| Parameter | Type | Default | Description | |---|---|---|---| | directory | string | required | Path to scan | | ai_only | boolean | false | Only check AI tokens | | scan_env | boolean | false | Include .env files |
ai_inventory
AI stack awareness (no secret detection). Parameters:
| Parameter | Type | Default | Description | |---|---|---|---| | directory | string | required | Path to scan |
Detection Coverage
- AI Tokens (20+) — OpenAI, Anthropic, Google, AWS, HuggingFace, Groq, Replicate, and more
- Generic Secrets (59) — Stripe, Twilio, GitHub, Slack, Discord, database URIs, private keys, JWTs
- LLM SDKs (23) — OpenAI, Anthropic, Google Gemini, LiteLLM, AWS Bedrock, and more
- AI Frameworks (24) — LangChain, LlamaIndex, CrewAI, AutoGen, DSPy, Vercel AI SDK, and more
- 145 total detection patterns
License
Source & license
This open-source MCP server is cataloged on AgentStack and links to its original source — we do not rehost the code.
- Author: sky-in-code
- Source: sky-in-code/ai-scanner-mcp
- License: MIT
- Homepage: https://aakashbhardwaj27.github.io/ai-scanner/
Install and usage instructions live in the source repository linked above.
Reviews
No reviews yet — be the first.
Write a review
Versions
- v1.0.2 Imported from the upstream source.