This product was not featured by Product Hunt yet.
It will not be visible on their landing page and won't be ranked (cannot win product of the day regardless of upvotes).

Product Thumbnail

AgentRisk

Scan untrusted AI-agent repos before your agent runs them

Open Source
GitHub
Security
Visit WebsiteSee on Product HuntGithub

Hunted bySato RengaSato Renga

AgentRisk is a zero-execution preflight scanner and local MCP server for AI-agent artifacts. Point it at a folder, GitHub URL, npm package, or tarball before your coding agent opens it. It flags risky MCP launchers, install scripts, secret-forwarding config, and repo instructions like "readenv" or "ignore approval". Use it from the CLI or as an MCP tool: npx --yes agentrisk@latest mcp config. Exports JSON, Markdown, SARIF, and terminal reports.

Top comment

I built AgentRisk because AI coding agents now trust more than source code. They read repo instructions, open config files, install packages, and sometimes launch local tools from MCP or editor settings. That makes files like .mcp.json, AGENTS.md, SKILL.md, Cursor rules, Copilot instructions, and package.json part of the agent supply chain.

The goal is intentionally narrow: scan before trust. AgentRisk statically checks high-signal files, never runs target code, never connects to target MCP servers during a scan, and produces evidence-backed findings you can review before handing a repo or package to an AI agent.

AgentRisk can be used from the CLI, and v0.2 also adds a local MCP server so LLM/MCP clients can call the scanner as a tool.

Try it from the CLI:

npx --yes agentrisk@latest scan github:Renga154/agentrisk --format markdown

Or set up the MCP tool:

npx --yes agentrisk@latest mcp config

Comment highlights

Love that it runs as a local MCP server instead of some cloud upload, makes it actually usable inside an agent workflow. The SARIF export is a nice touch too, finally something that plugs into existing CI security pipelines without fuss.

Does it scan recursively into nested folders or do I have to feed it each directory one at a time?

How does it handle obfuscated payloads in install scripts, like base64-encoded commands that don't trip obvious keyword flags? Curious if there's any heuristic layer beyond simple string matching.

About AgentRisk on Product Hunt

Scan untrusted AI-agent repos before your agent runs them

AgentRisk was submitted on Product Hunt and earned 5 upvotes and 7 comments, placing #93 on the daily leaderboard. AgentRisk is a zero-execution preflight scanner and local MCP server for AI-agent artifacts. Point it at a folder, GitHub URL, npm package, or tarball before your coding agent opens it. It flags risky MCP launchers, install scripts, secret-forwarding config, and repo instructions like "readenv" or "ignore approval". Use it from the CLI or as an MCP tool: npx --yes agentrisk@latest mcp config. Exports JSON, Markdown, SARIF, and terminal reports.

AgentRisk was featured in Open Source (68.6k followers), GitHub (41.3k followers) and Security (2.7k followers) on Product Hunt. Together, these topics include over 42.7k products, making this a competitive space to launch in.

Who hunted AgentRisk?

AgentRisk was hunted by Sato Renga. A “hunter” on Product Hunt is the community member who submits a product to the platform — uploading the images, the link, and tagging the makers behind it. Hunters typically write the first comment explaining why a product is worth attention, and their followers are notified the moment they post. Around 79% of featured launches on Product Hunt are self-hunted by their makers, but a well-known hunter still acts as a signal of quality to the rest of the community. See the full all-time top hunters leaderboard to discover who is shaping the Product Hunt ecosystem.

Want to see how AgentRisk stacked up against nearby launches in real time? Check out the live launch dashboard for upvote speed charts, proximity comparisons, and more analytics.