Every MCP Security Scanner in 2026: SkillShield, Vett, Aguara, JadeGate, and the Race to Secure AI Agent Skills
SkillShield Research Team
Security Research
Between January and March 2026, seven distinct MCP (Model Context Protocol) security scanners emerged. Each takes a different approach to the same problem: how do you trust code that AI agents execute on your behalf?
This comparison covers all seven: Vett, Aguara, Tork-scan, armor1.ai, Snyk Agent Scan, JadeGate, and SkillShield. The category formed fast — seven scanners in under 60 days. That speed tells you something about the urgency of the problem. The Agents of Chaos paper established that real attacks happen in real deployments. The scanner market is the industry's response.
Quick comparison
| Tool | Approach | Best For | Coverage | Setup |
|---|---|---|---|---|
| Vett | Fast static analysis | Quick pre-install checks | Basic patterns | CLI, instant |
| Aguara | Formal verification | High-assurance environments | 31k+ skills scanned | Go binary |
| Tork-scan | Community ratings | Transparency-focused teams | 500 skills, 10% dangerous | CLI + web |
| armor1.ai | Policy enforcement | Enterprise compliance | Configurable rules | SaaS |
| Snyk Agent Scan | Vendor integration | Existing Snyk customers | Agent-specific | SaaS |
| JadeGate | Just launched | Early adopters | TBD (March 2026) | CLI |
| SkillShield | Static + LLM classification | Comprehensive coverage | 33k+ skills, 6 sources | CLI + API |
Deep dives
Vett
Approach: Fast static analysis with basic pattern matching
Strengths:
- Extremely fast (< 1 second per skill)
- Zero configuration
- Good for CI/CD pipelines
Limitations:
- Surface-level checks only
- No LLM-based classification
- Limited to common attack patterns
Best for: Teams wanting a quick "smell test" before installing skills
Aguara
Approach: Formal verification with 96.95% F1 score
Strengths:
- Highest precision of any scanner (96.95% F1)
- Deep static analysis
- Found 7.4% of 31,330 skills had security issues; 448 critical
- Open source (Go)
Limitations:
- Slower than pattern-based tools
- Requires Go toolchain
- Formal verification can have false positives on legitimate complex code
Best for: Security-critical environments needing maximum precision
Key stat: 448 critical findings across 31,330 skills scanned
Tork-scan
Approach: Community-driven scanning with transparent danger ratings
Strengths:
- Clear DANGEROUS / SUSPICIOUS / SAFE ratings
- Community-verified findings
- 10% of scanned skills flagged as dangerous (500 skills scanned)
- Open source
Limitations:
- Smaller coverage than competitors
- Community model requires time to build accuracy
- Fewer automated classification features
Best for: Teams valuing transparency and community verification
Key stat: 10% dangerous rate (50 of 500 skills)
armor1.ai
Approach: Enterprise policy enforcement and governance
Strengths:
- Policy-as-code for skill approval
- Integration with enterprise IAM
- Audit trails and compliance reporting
- Team-wide skill registries
Limitations:
- SaaS-only (no offline/air-gapped option)
- Priced for enterprise
- May be heavy for individual developers
Best for: Enterprises needing governance and compliance workflows
Snyk Agent Scan
Approach: Established security vendor extending to AI agents
Strengths:
- Integration with existing Snyk workflows
- Vendor backing and support
- Part of broader security platform
Limitations:
- Requires Snyk account
- Less specialized for agent skills vs general dependencies
- Newer product (less mature than core Snyk offerings)
Best for: Teams already using Snyk for dependency scanning
JadeGate
Approach: Just launched (March 10, 2026)
Status: Fresh HN launch, early days
Known:
- CLI-based
- Focus on the "curl | bash from a stranger" problem — installing MCP skills from untrusted sources is equivalent to running untrusted code
- Community interest high (HN front page, March 10)
Unknown:
- Coverage depth
- Classification methodology
- Performance characteristics
Best for: Early adopters wanting to try new tools. Will likely evolve rapidly based on community feedback.
SkillShield
Approach: Static analysis + LLM classification across 6 skill sources
Strengths:
- Largest coverage: 33,746 skills across ClawHub, SkillsMP, Skills.lc, MCP Registry, MCPMarket, Awesome MCP
- Dual approach: Pattern-based rules + LLM contextual classification
- Multiple vectors: Catches data exfiltration, privilege escalation, obfuscated payloads, hidden Unicode injections
- Quantified risk: 0–100 risk scores with actionable findings
- 32.6% critical rate: Of flagged skills, nearly 1 in 3 are critical severity
- Open source: MIT license, community contributions welcome
- Integration-ready: CLI, API, and CI/CD support
Limitations:
- Static analysis can't catch runtime behavior changes
- LLM classification requires API credits (optional)
- Best paired with runtime sandboxing for full coverage
Best for: Teams wanting comprehensive coverage across multiple skill ecosystems
Key stats: 33,746 skills scanned · 32.6% of flagged skills rated CRITICAL · 6 marketplaces covered
Feature matrix
| Feature | Vett | Aguara | Tork | armor1 | Snyk | JadeGate | SkillShield |
|---|---|---|---|---|---|---|---|
| Static analysis | ✅ | ✅✅ | ✅ | ✅ | ✅ | ✅ | ✅✅ |
| LLM classification | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
| Data exfiltration detection | Basic | Advanced | Basic | Advanced | Medium | TBD | Advanced |
| Privilege escalation detection | Basic | Advanced | Basic | Advanced | Medium | TBD | Advanced |
| Obfuscation detection | ❌ | ✅ | ❌ | ✅ | Medium | TBD | ✅ |
| Unicode injection detection | ❌ | ❌ | ❌ | ❌ | ❌ | TBD | ✅ |
| Risk scoring (0–100) | ❌ | ❌ | ❌ | ✅ | ✅ | TBD | ✅ |
| CI/CD integration | ✅ | ✅ | ✅ | ✅ | ✅ | TBD | ✅ |
| Open source | ✅ | ✅ | ✅ | ❌ | ❌ | TBD | ✅ |
| Self-hosted option | ✅ | ✅ | ✅ | ❌ | ❌ | TBD | ✅ |
| Skill marketplace coverage | 1 | 1 | 1 | 1 | 1 | TBD | 6 |
✅✅ = Advanced/comprehensive | ✅ = Supported | ❌ = Not supported | TBD = Too early to assess
Our recommendation
For individuals / small teams
Start with SkillShield (comprehensive) or Vett (fast). Add Tork-scan for community verification.
For security-critical environments
Primary: Aguara (highest precision) + SkillShield (broadest coverage). Add runtime sandboxing for defense-in-depth.
For enterprises
Governance: armor1.ai (policy enforcement). Scanning: SkillShield (coverage) + Snyk (if already in use). Runtime: custom sandboxing + network filtering.
For open source projects
Free stack: SkillShield (scanning). Community: Tork-scan for crowd-verified ratings.
Why this comparison exists
We built SkillShield because we couldn't find a scanner that covered multiple skill marketplaces (not just ClawHub), used both pattern matching and LLM classification, caught obfuscated payloads and hidden Unicode injections, and was open source and self-hostable.
The other tools in this list are solving similar problems with different tradeoffs. Aguara's precision is impressive, Tork's transparency is valuable, and JadeGate's fresh perspective (launching the same day we updated this page) will likely push all of us to improve.
The category formed fast. Seven scanners in under 60 days. The context is clear if you've read the Agents of Chaos paper: supply-chain attacks on AI agent skills are documented, live, and not theoretical. The tools exist because the threat does.
For a comparison of supply-chain scanning vs runtime endpoint testing, see SkillShield vs AgentSeal: Two Layers of AI Agent Security.
Try SkillShield
# Scan any skill
npx skillshield scan https://clawhub.com/skills/example
# Or scan local skills
npx skillshield scan ./my-skill/Last updated: March 10, 2026. Want to add your tool to this comparison? Email [email protected]
33,746 skills scanned. 32.6% critical.
SkillShield covers 6 MCP marketplaces with static analysis and LLM classification — catching exfiltration chains, obfuscated payloads, and Unicode injections before your agent runs them.
Get early access