Find it. Break it. Fix it.
The hacker's toolkit for AI agents
147 security checks across 30 categories. 55 attack payloads. Auto-fix with rollback. OASB benchmark compliance. One CLI.
Local Security Scanner
Harden Your Agent Setup
147 checks across 30 categories covering MCP configs, Claude Code settings, and credentials. Auto-fix, rollback, and multiple output formats.
The State of AI Agent Security
97,013 Hosts Discovered
We scanned 11,100 internet-facing AI agent endpoints and found 14.4% had at least one security finding. 8,449 total findings across 1,594 vulnerable hosts.
Last updated: January 29, 2026. Data from 207 Shodan queries across MCP, OpenClaw, and agent infrastructure.
Security Benchmark
OASB-1 Compliance
Run the Open Agent Security Benchmark against your agent. 46 controls across 10 categories with L1/L2/L3 maturity levels. The CIS Benchmark for AI agents.
Offensive Security
Attack Mode
Red team your AI agent with 55 attack payloads across 5 categories. Test prompt injection defenses, jailbreak resistance, and data exfiltration controls.
Why This Matters
AI agents are being deployed faster than they can be secured. Exposed MCP servers allow attackers to invoke tools and exfiltrate data. Leaked API keys lead to thousands in unauthorized charges. Clawdbot gateways give full access to messaging platforms and connected services. These aren't theoretical risks—they're being exploited today.
We contributed security checks upstream to OpenClaw via PR #9806 and published our full findings at The State of AI Agent Security.
What We Detect
MCP Server Exposure
SSE endpoints and tool listings accessible without authentication
Credential Leaks
API keys for Anthropic, OpenAI, Slack, Discord, AWS exposed in configs
Clawdbot/Moltbot Gateways
Exposed gateway and WebSocket control planes on ports 18789/18790
Configuration Files
Sensitive config files accessible via web (JSON, YAML, env files)
System Instructions
CLAUDE.md and system prompt files exposed publicly
Dangerous Endpoints
Execute, shell, debug, and admin endpoints without protection
OpenClaw/Moltbot Installations
Dedicated scanner for OpenClaw setups with targeted security checks
Built-in Plugins
Security plugins — scan, sign, and seal
Three security plugins ship with hackmyagent fix-all. Each targets specific OASB controls.
SkillGuard
fix-allHash pinning, tamper detection, and dangerous pattern scanning for MCP server tools and configurations.
SignCrypt
fix-allEd25519 file signing and SHA-256 hash pinning. Verify integrity of configuration files and tool definitions.
CredVault
fix-allCredential scanning across 10 patterns with automatic environment variable replacement. Blocks secret leakage.
OpenA2A Ecosystem
Part of a complete security stack
HackMyAgent is one tool in the OpenA2A ecosystem. Each project handles a distinct security domain.
HackMyAgent includes OASB benchmarking and ARP runtime protection. All tools accessible via npx opena2a.
Stay Ahead of AI Agent Threats
Get weekly security insights, vulnerability alerts, and best practices for securing AI agents. Join security teams from companies protecting their AI infrastructure.
No spam. Unsubscribe anytime. By subscribing, you agree to our privacy policy.