AgentShield as an automated verification tool for MSSS complianceΒ #2
Description
Hi! π
I'm the maintainer of AgentShield, an open-source security scanner for AI agent skills, MCP servers, and plugins.
I noticed MSSS mentions automated verification tools as a planned feature in the roadmap. AgentShield already covers many of the control domains in your standard:
Overlap with MSSS controls
| MSSS Domain | AgentShield Coverage |
|---|---|
| Command injection | β
backdoor rule β detects eval(), exec(), child_process with dynamic input |
| Path traversal | β
sensitive-read rule β detects access to ~/.ssh, ~/.aws, ~/.kube |
| SSRF | β
network-ssrf rule β detects user-controlled URLs, AWS metadata access |
| Credential leaks | β
credential-hardcode + env-leak rules |
| Supply chain | β
supply-chain + typosquatting rules |
| Secret redaction | β
hidden-files rule β detects .env files with secrets |
What we offer
- 30 detection rules with AST taint tracking (not just regex)
- Cross-file data flow analysis β traces imports and data paths
- Kill chain detection β 5-stage attack sequence identification
- Zero install:
npx @elliotllliu/agent-shield scan ./server/ - 100% offline β no data leaves the machine
- CI/CD integration via GitHub Action +
--fail-underscoring
Proposal
I'd love to explore how AgentShield could serve as an automated verification tool for MSSS compliance. For example:
- Map AgentShield rules β MSSS control IDs
- Generate MSSS-compatible JSON assessment reports
- Auto-produce L1/L2 evidence artifacts
Would you be interested in collaborating on this? Happy to discuss further.
π https://github.com/elliotllliu/agent-shield
π¦ https://www.npmjs.com/package/@elliotllliu/agent-shield