npxで使える、AIエージェント向けリポジトリ安全チェックCLIを作った npxで使える、AIエージェント向けリポジトリ安全チェックCLIを作った

A developer has released AgentRisk, a command-line tool that scans repositories and packages for risky settings or suspicious instructions before an AI coding agent is allowed to read them. The tool is published on npm and can be run without a separate installation step using a single command, npx agentrisk scan, which makes it easy to drop into an existing workflow. As AI agents increasingly read, summarize, and act on unfamiliar code, the question of whether that code is safe to expose to an automated assistant has become a practical concern, and AgentRisk is one attempt to address it.

The core idea responds to a class of risks that has grown alongside the popularity of AI coding assistants such as Cursor, GitHub Copilot, Claude Code, and similar tools. When an agent ingests a repository, it does not only process source code; it may also read README files, configuration files, documentation, comments, and other text. If any of that content contains instructions aimed at the agent rather than at a human reader, the agent can be manipulated. This category of attack is generally referred to as prompt injection, and it becomes more dangerous when an agent has the ability to execute commands, modify files, or call external services. AgentRisk appears to target exactly this gap by inspecting a project for the kinds of content that could subvert an agent's behavior.

According to the description, the tool focuses on two broad categories: dangerous configurations and suspicious instructions. Dangerous configurations could include settings that grant excessive permissions, scripts that run automatically, or hooks that execute during routine operations. Suspicious instructions would cover text that attempts to direct an agent to perform actions a user did not intend, such as exfiltrating secrets, disabling safety checks, or following hidden directives embedded in documentation. By surfacing these signals before an agent reads the repository, the workflow shifts a security checkpoint earlier in the process, giving the user a chance to review findings first.

The choice to distribute the tool through npm and to support npx is notable for adoption. npx allows a user to run a package directly from the npm registry without a global install, so a developer can evaluate an unknown repository with a single command and without committing to a permanent dependency. This lowers the barrier to running a quick check and fits naturally into the moment when a developer has just cloned or downloaded a project they have not yet inspected. The scan target in the documented example is the current directory, indicated by the trailing period, which suggests the tool is meant to be run from inside a checked-out project.

The tool is categorized under MCP, the Model Context Protocol, an open standard introduced by Anthropic that defines how AI applications connect to external tools, data sources, and context. MCP has expanded the ways agents can reach beyond their immediate prompt to read files, query systems, and invoke capabilities, which is precisely what makes the security of the underlying content more important. As more MCP servers and integrations become available, the surface area for an agent to encounter untrusted instructions grows, and tooling that vets that content before it reaches the model is likely to be of increasing interest.

AgentRisk sits within a broader industry conversation about software supply chain security and AI safety. Established practices such as dependency auditing, secret scanning, and static analysis address related but distinct problems, and tools aimed specifically at AI agent risk are still relatively new. It is worth treating any single scanner as one layer rather than a complete safeguard; automated detection of adversarial natural language is inherently imperfect, and determined attackers may craft instructions designed to evade pattern-based checks. Readers evaluating the tool should review its detection logic and output to understand what it does and does not catch.

For developers experimenting with AI agents on unfamiliar code, a lightweight, npx-runnable check offers a low-friction way to add a review step. Those interested can try it through the documented command and consult the project's npm listing for the full set of options and the categories of risks it reports.