Why You Should Install Security Before You Install Anything Else Into Your AI Agent
Every skill, MCP server, and tool you add to an AI agent is unreviewed code with keys to your machine. One command scans before load and guards at runtime.
Install security before you install anything else. npm install -g @panguard-ai/panguard && pga up hooks PanGuard into the agent runtimes you already run, so that from that point on every skill and MCP server you add gets scanned before it loads and watched while it runs. It is free, MIT-licensed, and the Community build is the complete product with no paywall.
Here is the problem in one sentence. You install skills, MCP servers, and tools into your AI agents constantly, and each one is unreviewed code that runs with the same permissions your agent has: your files, your credentials, your shell.
What actually happens when you add a skill or an MCP server?
You hand it the keys. An MCP server can read your files, call your APIs, and shell out. A skill is a text file your agent will follow as instructions. Neither one goes through the review a normal dependency would. There is no npm audit for the thing your agent just decided to trust at runtime.
This is not hypothetical. postmark-mcp was a trusted MCP server that silently BCC'd between 3,000 and 15,000 emails per day for 15 versions before anyone noticed. MCPJam Inspector shipped with a default 0.0.0.0 bind (CVE-2026-23744): one HTTP request to the exposed port was remote code execution, in every version before v1.4.3. Azure MCP Server (CVE-2026-26118) had an SSRF flaw that stole managed-identity tokens and turned them into access to your Azure resources. Claude Code itself was exploited through its hooks and MCP config (CVE-2025-59536 and CVE-2026-21852) for arbitrary shell execution and API key theft.
The pattern is the same every time. A component you trusted did something you never reviewed, using access you already granted.
Why doesn't normal security tooling catch this?
Because the attack surface is new. Antivirus looks at binaries. SAST looks at your source. Neither one is watching the skill your agent pulled from a registry this morning, or the MCP server you added to try a demo. The agent is the new execution environment, and the things you load into it are the new supply chain.
OWASP formalized this in the Agentic Top 10 (2026). The categories read like a list of exactly these failures: ASI02 Tool Misuse and Exploitation, ASI04 Agentic Supply Chain Vulnerabilities, ASI05 Unexpected Code Execution, ASI06 Memory and Context Poisoning. These are not edge cases. They are the top of the list.
What does "scan before load, guard at runtime" mean in practice?
Two moves, one install.
Before load: pga scan <target> inspects a skill or MCP server before you install it. It runs the skill and server text against ATR, the Agent Threat Rules standard, checking for known attack patterns and dangerous capabilities.
At runtime: Guard watches what your agent actually does after load. pga up auto-detects the agent runtimes on your machine (Claude Code, Cursor, Windsurf, Gemini CLI, Cline, Codex CLI, and more) and hooks in without per-tool configuration. When a loaded component behaves like an attack it does not need to have been caught at scan time, because it gets caught at execution.
The detection layer underneath both is ATR, an independent, open, MIT-licensed standard that PanGuard is built on and operates. Think Sigma or CVE and the vendor that runs it. As of July 2026 the corpus is nearly 690 rules across 10 categories (npm agent-threat-rules v3.5.6). It maps to all 10 OWASP Agentic categories with 866 rule-to-category mappings (9 categories at STRONG coverage, ASI10 Rogue Agents at MODERATE), and to 34 of the 101 MITRE ATLAS techniques.
Is a rule-based scanner accurate enough to trust?
The honest answer is that accuracy depends on the corpus and the lane, so here are the numbers with their context. These are Layer 1, deterministic-rule benchmarks, not a single blended engine score.
| Corpus | Result |
|---|---|
| SKILL.md corpus (498 real-world samples) | 100% recall, 97% precision, 0.2% FP |
| NVIDIA garak (650 in-the-wild jailbreaks) | 97.2% recall |
| HackAPrompt (4,780 samples, EMNLP 2023) | 69.6% recall vs 28.6% baseline, 100% precision |
| PINT-format corpus (850 samples, self-built) | 99.7% precision, 63.6% recall |
On false positives I will not give you a single number, because there is not an honest one. On a 65,000-sample benign gate the false-positive rate is lane-based: about 0.24% in the enforce lane, and about 9% in the hunt lane, which is the default. The hunt lane flags more so you can review more. That is a design choice, and you should know which lane you are running.
How does every scan make everyone else safer?
This is the flywheel, and it is the reason a one-person project can keep pace with a moving threat. When a new attack is understood, an AI reads it once and writes it as a deterministic rule. That rule then executes in milliseconds for everyone who runs PanGuard. New attack to shipped rule takes about an hour, not the weeks a committee needs.
It is grounded in real scale. I ran a wild scan across six public registries: 96,096 AI agent skills, 751 confirmed malicious. Every confirmed sample that generalizes becomes a rule, gated against the 65,000-sample benign corpus so a fix for one user does not become a false alarm for the next.
Adoption reflects that the standard travels. ATR is shipping inside MISP and CIRCL, Cisco AI Defense's skill-scanner, the Microsoft Agent Governance Toolkit (a 287-rule pack on weekly auto-sync), Gen Digital's Sage, Microsoft PyRIT, and the OWASP Agent Security Regression Harness. Open PRs are in review with Google ADK, NVIDIA garak, OpenAI Guardrails, and the NIST OSCAL catalog.
Why now, and not after the first incident?
Because the legal clock is already running for anyone building high-risk AI. EU AI Act Article 15 makes detecting adversarial attacks a legal duty for high-risk systems, enforced from the end of 2027. But the practical reason is simpler. You install these components today, at a rate you cannot review by hand, and the cost of the first bad one is not a warning. It is your credentials.
FAQ
Does PanGuard cost anything?
No. It is free and MIT-licensed, and the Community build is the complete product. There is no paywall and no locked feature tier.
Which agent runtimes does it support?
pga up auto-detects Claude Code, Cursor, Windsurf, Gemini CLI, Cline, Codex CLI, and more, and hooks in without per-tool configuration.
Is ATR the same thing as PanGuard?
No. ATR is an independent, open, MIT-licensed standard, governed separately. PanGuard is one product built on it and operating it, the way a vendor runs on top of a standard like Sigma or CVE.
Will scanning slow my agent down?
Detection runs against deterministic rules that execute in milliseconds. The scan happens before load, and Guard watches at runtime without you configuring each tool.
The next step is one line. Run npm install -g @panguard-ai/panguard && pga up, then pga scan the next skill or MCP server before you install it. Read the standard at the ATR repo if you want to see exactly what it checks for.