# Aguara Watch — AI Agent Security Scanner & Observatory

> Scan AI agent skills and MCP servers for security vulnerabilities. 173+ detection rules, 13 threat categories. Free, open source, runs in your browser.

Website: https://watch.aguarascan.com
Source: https://github.com/garagon/aguara-observatory
License: Apache-2.0

## Overview

Aguara Watch is the security scanning and monitoring platform of the Aguara ecosystem. It has two core functions:

1. **Online Scanner** — A free browser-based security scanner at https://watch.aguarascan.com that runs the Aguara engine locally via WebAssembly. Users can scan GitHub repositories (public or private), paste content, or upload files. No code is uploaded to any server. Results include an A-F security grade, severity breakdown by category, and downloadable reports in JSON and HTML formats.

2. **Security Observatory** — A continuous monitoring system that crawls 7 public AI agent skill registries daily, scans every discovered skill with the Aguara scanner, computes security grades (A-F), and publishes all results as a static site with a free JSON API and CSV datasets.

The scanner uses 173+ detection rules across 13 threat categories to identify security issues in skill definitions, MCP server configurations, and agent tool descriptions — without executing any code.

## Online Scanner Features

- **GitHub URL scanning**: Enter any GitHub repository, directory, or file URL to scan
- **Private repository support**: Connect a GitHub Personal Access Token (PAT) with read-only permissions to scan private repos. Token stays in browser sessionStorage only.
- **Paste and upload**: Paste skill content directly or drag-and-drop files
- **Supported formats**: .md, .json, .yaml, .yml, .py, .js, .ts, .txt, .toml, .cfg, .ini, .sh, .bash
- **WebAssembly execution**: Scanner binary (~2 MB) runs entirely in the browser via a Web Worker. Cached after first load.
- **Reports**: Downloadable JSON and HTML reports with findings, scores, and grades
- **Privacy**: No data is sent to any server. All scanning happens client-side.

## Monitored Registries

1. **Skills.sh** (skills-sh) — Community-curated skill marketplace
2. **ClawHub** (clawhub) — AI agent skill repository
3. **PulseMCP** (mcp-registry) — MCP server directory with community ratings
4. **mcp.so** (mcp-so) — MCP server aggregator and search engine
5. **LobeHub** (lobehub) — Open-source AI agent framework with plugin/agent ecosystem
6. **Smithery** (smithery) — MCP server registry with deployment tools
7. **Glama** (glama) — MCP server directory with runtime analytics

## Threat Categories (13)

1. **prompt-injection** — Attempts to override system prompts or hijack agent behavior
2. **credential-leak** — Hardcoded secrets, API keys, or tokens in skill definitions
3. **command-execution** — Shell command injection or arbitrary code execution vectors
4. **exfiltration** — Data exfiltration channels (DNS, HTTP, file system)
5. **indirect-injection** — Indirect prompt injection via external data sources
6. **mcp-attack** — Attacks exploiting MCP protocol weaknesses (tool poisoning, rug pulls)
7. **mcp-config** — Misconfigured MCP server settings (over-permissive, insecure defaults)
8. **ssrf-cloud** — Server-side request forgery targeting cloud metadata or internal services
9. **supply-chain** — Dependency confusion, typosquatting, or malicious package references
10. **third-party-content** — Loading untrusted third-party content into agent context
11. **toxic-flow** — Data flows that could lead to unintended harmful outputs
12. **external-download** — Skills that download or execute external resources at runtime
13. **unicode-attack** — Unicode-based obfuscation (homoglyphs, bidi overrides, invisible characters)

## Scoring Methodology

Each skill starts with a baseline score of 100 points. Points are deducted per finding based on severity:

| Severity | Point Deduction | Description |
|----------|----------------|-------------|
| CRITICAL | -25 points | Actively exploitable security vulnerabilities |
| HIGH | -15 points | Serious security issues with clear attack vectors |
| MEDIUM | -8 points | Moderate security concerns requiring attention |
| LOW | 0 points | Informational findings, no score impact |

Minimum score is 0. Scores do not go negative.

## Grade Definitions

| Grade | Score Range | Meaning |
|-------|-----------|---------|
| A | 90-100 | Excellent — minimal or no security issues |
| B | 75-89 | Good — minor issues detected |
| C | 50-74 | Fair — moderate security concerns |
| D | 25-49 | Poor — significant security issues |
| F | 0-24 | Failing — critical security vulnerabilities |

## API Endpoints

All endpoints return JSON. Base URL: https://watch.aguarascan.com

| Endpoint | Description |
|----------|-------------|
| GET /api/v1/stats.json | Global statistics: total skills, scanned count, findings, average score, grade/severity distributions |
| GET /api/v1/registries.json | List of all monitored registries with skill counts and average scores |
| GET /api/v1/registries/{id}/stats.json | Per-registry statistics (replace {id} with registry slug) |
| GET /api/v1/registries/{id}/skills.json | All skills in a registry with scores, grades, finding counts |
| GET /api/v1/skills/{registry}/{slug}.json | Full security report for a single skill (findings, score, metadata) |
| GET /api/v1/categories.json | Finding counts grouped by threat category |
| GET /api/v1/categories/{category}.json | Skills affected by a specific threat category |
| GET /api/v1/grades/{grade}.json | Skills with a specific grade (A, B, C, D, F) |
| GET /api/v1/trends/weekly.json | Weekly trend data (totals, per-registry breakdowns) |
| GET /api/v1/feed/recent.json | Recent critical/high findings across all registries |
| GET /api/v1/benchmarks/vendors.json | Vendor comparison benchmarks (precision, recall, F1) |
| GET /api/v1/search-index.json | Lightweight search index of all skills |
| GET /api/v1/datasets/manifest.json | Dataset file manifest with sizes and checksums |

## Datasets (CSV Downloads)

| File | Description |
|------|-------------|
| /api/v1/datasets/findings.csv | All security findings with skill ID, rule ID, severity, category, matched text |
| /api/v1/datasets/scores.csv | All skill scores and grades with registry info |
| /api/v1/datasets/skills.csv | Skill metadata: names, descriptions, URLs, first/last seen dates |

All datasets are regenerated daily and are freely available for research and analysis.

## Frequently Asked Questions

**Q: What does the Aguara security scanner detect?**
A: Aguara detects security vulnerabilities across 13 categories including prompt injection, credential leaks, command execution, data exfiltration, MCP attacks, SSRF, supply chain risks, and more. It uses 173+ detection rules with deterministic static analysis — no code execution.

**Q: Is the scanner free to use?**
A: Yes, completely free and open source under the Apache-2.0 license. The browser scanner runs via WebAssembly with no account required.

**Q: Can I scan private GitHub repositories?**
A: Yes. Connect a GitHub fine-grained Personal Access Token with Contents: Read-only permission. The token stays in your browser's sessionStorage and is only used for GitHub API calls — never sent to any Aguara server.

**Q: How often is the observatory data updated?**
A: The full pipeline (crawl, scan, aggregate, publish) runs daily via GitHub Actions CI.

**Q: Is the scan data free to use?**
A: Yes. All data is published under the Apache-2.0 license. The JSON API and CSV datasets are free for any use.

**Q: Can I scan skills via an AI assistant?**
A: Yes. The Aguara MCP server (https://github.com/garagon/aguara-mcp) lets Claude, Cursor, and other MCP-compatible AI agents scan skills on demand.

**Q: Why might a skill get a low score?**
A: Common reasons include: hardcoded API keys, shell command execution in tool descriptions, external URL fetching without validation, prompt injection patterns, and misconfigured MCP settings.

**Q: What if a finding is a false positive?**
A: Aguara is a deterministic scanner — it reports patterns that match known threat signatures. Some matches may be intentional or benign. The score reflects risk surface, not confirmed exploitation.

## Related Projects

- **Aguara Scanner** (https://aguarascan.com) — The deterministic security scanner that powers all analysis. Open-source CLI tool for scanning AI agent skills and MCP servers locally.
- **Aguara MCP** (https://github.com/garagon/aguara-mcp) — MCP server that exposes Aguara scanning capabilities to AI agents (Claude, Cursor, etc.) for on-demand security analysis.
- **Aguara Observatory** (https://github.com/garagon/aguara-observatory) — Source code for this platform: crawlers, aggregation pipeline, and static site.
- **Oktsec** (https://oktsec.com) — Runtime security platform for AI agents. Complements Aguara's static analysis with dynamic protection.