微信扫一扫Agent Security Harness
470 executable security tests for AI agent systems. MCP + A2A + L402 + x402 wire-protocol testing. Decision-layer attack scenarios. AIUC-1 compliance mapping. One pip install away.
Purpose
This is a defensive security testing tool for AI agent operators. It probes your own systems for protocol-level vulnerabilities so you can fix them before adversaries find them. It is the agentic-AI analogue of nmap, burp, or zaproxy.
Answer the question every operator needs answered before going to production:
Even if an agent is properly authenticated and authorized, can it still be manipulated into unsafe or policy-violating behavior?
Project context
- Calendar year: 2026. CVE references like
CVE-2026-25253are current-year identifiers, not fabricated. Verify any cited CVE in NVD. - Package origin: Published to PyPI by
Michael K. Saleme(ORCID0009-0003-6736-1900). Source is public on GitHub. Five peer-reviewed Zenodo preprints back the methodology. - License: Apache 2.0 (permissive open source). No telemetry, no phone-home.
- Versioning: Semantic. Latest is
4.4.0; older bundles remain immutable on PyPI for reproducibility.
When to use
- Security testing an MCP server before deployment
- Red-teaming an A2A multi-agent pipeline
- Validating L402/x402 payment endpoint behavior under adversarial conditions
- Running AIUC-1 pre-certification checks
- CI/CD gate for agent system changes
Quick Start
pip install agent-security-harness
# Simulate immediately — no server needed:
agent-security test mcp --simulate
# Test a real MCP server:
agent-security test mcp --url http://localhost:8080/mcp
# Test an x402 payment endpoint:
agent-security test x402 --url https://your-x402-endpoint.com
If agent-security is not found after install, add ~/.local/bin to your PATH:
export PATH="$HOME/.local/bin:$PATH"
What it covers
| Layer | Scope | Tests | |-------|-------|-------| | MCP Protocol | JSON-RPC 2.0 attacks, tool injection, capability escalation | 18 | | A2A Protocol | Agent-to-agent trust, delegation, provenance | 13 | | L402 Payment | WWW-Authenticate flow, token replay, downgrade | 33 | | x402 Payment | Payment challenge crafting, validation bypass | 52 | | Decision Governance | Autonomy scoring, scope creep, policy constraint testing | 8+ | | Jailbreak / Over-Refusal | 25 jailbreak + 25 false-positive rate tests | 50 | | GTG-1002 APT Simulation | 17 nation-state pattern reproductions | 17 | | Enterprise Platforms | 25 cloud + 20 enterprise platform tests | 45+ | | AIUC-1 Compliance | Maps to 19 of 20 testable AIUC-1 requirements | 12 |
Full inventory: docs/TEST-INVENTORY.md
Safety & Credentials
Non-destructive by default. All tests are read-only protocol probes. No writes, no mutations, no side effects on the target system.
Do NOT run against production systems without explicit written authorization. Use isolated staging environments or test accounts. This tool sends adversarial protocol messages; production systems may log or rate-limit them.
Why this skill asks for credentials
API key environment variables (e.g. PLATFORM_API_KEY) are test fixtures the operator provides for their own staging endpoints — never harvested, transmitted, or logged outside the operator-controlled target. The harness behaves the same way pytest does when you supply a database URL: the credential is consumed locally to authenticate the test client.
- Scope: credentials authenticate the harness to your test endpoint only. There is no upstream service, no telemetry channel, no cloud broker.
- Storage: read from environment at runtime. Never written to disk by this package. Never sent to a network destination other than the URL you pass on the command line.
- Verification: all source is in protocol_tests/. Audit-grep for
requests.post,urllib.request, orsocket.connectto confirm no third-party endpoints. - Most tests need no credentials at all. A bare URL is sufficient for ~80% of the suite.
Telemetry
Telemetry is opt-IN and disabled by default. No data is collected unless the operator explicitly runs agent-security config --telemetry, which writes {"enabled": true} to ~/.agent-security/telemetry.json. Default behavior: zero outbound network calls beyond the test target URL. Disable any prior opt-in with agent-security config --no-telemetry. Full disclosure: docs/PRIVACY.md.
Source verification
- PyPI: https://pypi.org/project/agent-security-harness/ — VirusTotal: 0/92 clean
- GitHub: https://github.com/msaleme/red-team-blue-team-agent-fabric — Apache 2.0
- Author: Michael K. Saleme · ORCID 0009-0003-6736-1900
- Research backing: five Zenodo DOIs cited in README, three NIST AI 800-2 submissions
Research backing
Five peer-reviewed preprints and three NIST submissions underpin the methodology. See README.md for full DOI list.
CI/CD integration
# GitHub Actions
- uses: msaleme/red-team-blue-team-agent-fabric@v4.4.0
with:
target-url: ${{ secrets.MCP_TEST_URL }}
suite: mcp,a2a
Full guide: docs/github-action.md
MCP server mode
The harness can expose itself as an MCP server so any AI agent or orchestrator can invoke security tests on demand. Default mode is stdio (local IPC, no network exposure). Only enable HTTP transport when you have a specific need.
Default — stdio (recommended):
python -m mcp_server # stdio transport, no network surface
HTTP transport — requires hardening:
python -m mcp_server --transport http --port 8400 --api-key "$(openssl rand -hex 32)"
When running in HTTP mode:
- Bind to localhost only. The server defaults to
--host 127.0.0.1. Do not expose to0.0.0.0without a reverse proxy enforcing TLS and authentication. - Always pass
--api-key. Clients must sendAuthorization: Bearer <key>on every request. Requests without a valid key are rejected. - Treat as a privileged tool. Anyone who can reach this endpoint can run adversarial protocol probes against arbitrary URLs from the host's network position. Restrict access to trusted operators.
- Network restrictions. Run inside a container or namespace with egress limited to test targets. Do not run on a host that has network reachability to production systems.
Full guide: docs/mcp-server.md