Frisk scans AI agent tools for novel 'tool poisoning' threats
A new, local-first static scanner for AI agent tools and skills. It checks for novel threats like tool poisoning and rug pulls without sending code to a third-party API. THE ANSWER UP FRONT This tool…
A new, local-first static scanner for AI agent tools and skills. It checks for novel threats like tool poisoning and rug pulls without sending code to a third-party API.
THE ANSWER UP FRONT
This tool is for developers actively experimenting with third-party AI agent skills, such as MCP servers or Claude tools, who want a fast, local-first security check before running untrusted code. If your workflow already mandates an enterprise-grade, cloud-based scanner like Snyk, or if you require deep dynamic analysis, you can skip this. For everyone else, frisk is a pragmatic, zero-dependency static scanner that addresses emerging AI-specific security threats. Its strict local-only philosophy makes it a sensible, low-friction addition to the indie developer's toolkit.
METHODOLOGY
This v0 review covers frisk as described in the founder's launch announcement on June 24, 2026. The tool is available via pip install frisk-scan. This analysis is based entirely on the founder's published claims, feature descriptions, and code examples provided in the source blog post. We have not performed independent benchmarks, measured its detection rate against a corpus of malicious tools, or evaluated its false positive rate. The scope of this review is to analyze the problem frisk purports to solve and the approach it takes, as described by its creator. A v2 review would require hands-on testing. Update cadence: we will re-test when public benchmarks or significant feature updates diverge from the initial claims.
WHAT IT DOES
frisk is a command-line static analysis tool designed to vet AI agent components before installation and execution. Its functionality, as described by the founder, is built on a few core principles.
Local-first, zero-dependency scanning
The tool is written in plain Python with no dependencies outside the standard library. It runs entirely on the user's machine and makes no network calls to any third-party analysis API. This is a deliberate design choice to ensure user code and tool descriptions remain private, contrasting with hosted services like Snyk's mcp-scan. It inspects code by matching patterns, never by executing it, making it safe to run on potentially malicious files.
Detects novel AI agent threats
Beyond standard checks for destructive commands (rm -rf) or secret-stealing patterns (~/.aws/credentials), frisk specifically targets vulnerabilities unique to AI agents. It flags "tool poisoning," where a tool's description contains hidden instructions for the LLM to exfiltrate data. It also addresses "rug pulls" by allowing a user to lock the state of a tool's description (frisk lock .) and later verify that it hasn't been maliciously changed (frisk verify). The scanner also reports on obfuscation techniques like zero-width unicode characters in descriptions.
Integrates into developer workflows
frisk can be run from the command line on a local folder, a remote Git repository, or against an existing agent configuration file to audit all installed tools. It provides a clear PASS / WARN / BLOCK verdict for each scan. For CI/CD integration, it can emit findings in SARIF format, which can be displayed in GitHub's Security tab. It can also be run as an MCP server itself, allowing an agent to use frisk to vet other tools.
WHAT'S INTERESTING / WHAT'S NOT
The most interesting aspect of frisk is its explicit focus on the emerging attack surface of AI agent supply chains. The concepts of "tool poisoning" and "rug pulls" are well-defined problems that existing static analysis tools, not built with LLMs in mind, would likely miss. The lock and verify commands are a simple, effective solution to the transient nature of rug pull attacks. The commitment to a zero-dependency, local-first implementation is a strong differentiator in a market saturated with API-based scanners. For a security tool, minimizing its own attack surface is a significant feature.
What's less developed, by the founder's own admission, is the tool's fundamental limitation: it is static and regex-based. This makes it fast and safe but also brittle. Sophisticated attackers can use simple obfuscation to bypass regex patterns. Without a public test suite of known-malicious agent tools to benchmark against, its real-world efficacy remains an open question. The comparison to Snyk is useful for positioning, but Snyk's value comes from a massive, continuously updated threat intelligence database, something a regex-based tool cannot replicate. frisk is a sharp scalpel for a specific problem, not a replacement for a broad-spectrum security platform.
PRICING
As of June 2026, frisk is presented as a free, open-source tool available via pip. The source material does not mention any paid tiers, enterprise plans, or commercial versions.
VERDICT
For an individual developer or small team building with AI agents, frisk is a recommended install. It provides a necessary first line of defense against a new and subtle class of security threats for which few specialized tools exist. Its primary value is its local-first design and its focus on AI-specific vectors like tool poisoning. While its regex-based engine means it is not foolproof and can be bypassed, it represents a significant improvement over blindly installing third-party agent tools. It is best viewed not as a comprehensive security solution, but as a low-friction, specialized utility that hardens one specific, high-risk part of the modern development workflow.
WHAT WE'D TEST NEXT
A v2 review would require hands-on benchmarking. We would first need to build or acquire a corpus of AI agent tools containing benign, suspicious, and known-malicious code and descriptions. We would then measure frisk's true positive and false negative rates against this corpus. We would also test its resilience to basic obfuscation techniques in both code and tool descriptions. Finally, we would evaluate the signal-to-noise ratio by running it across a large set of popular, trusted open-source agent tools to measure its false positive rate in a real-world scenario.
The investor read
frisk is an early signal of a new, necessary security category: AI Agent Supply Chain Security. As developers compose systems from third-party agentic tools, the security model breaks. This tool is a direct response. While frisk itself is a small, open-source project and not currently investable, it validates a market need. A venture-scale company in this space would need to move beyond regexes to a more robust analysis engine (semantic, control-flow), build a proprietary threat intelligence feed for agent-specific exploits, and offer a managed enterprise product. The key question is whether the market will adopt local-first solutions like frisk or default to incumbent cloud security platforms like Snyk extending their offerings. Watch this project for community adoption; it's a leading indicator of where developer security concerns are headed.
Every claim ties to a primary source. See our methodology.