Pluto AgentGuard finds critical flaws in 20.7% of public AI agent configs
A new open-source tool audits the overlooked attack surface of Model Context Protocol (MCP) configurations, launching with a scan of 1,200 real-world files from public GitHub repositories. The Answer…
A new open-source tool audits the overlooked attack surface of Model Context Protocol (MCP) configurations, launching with a scan of 1,200 real-world files from public GitHub repositories.
The Answer Up Front
Pluto AgentGuard is for any team deploying AI agents using the Model Context Protocol. It's a free, essential security checkup for a new and clearly neglected attack surface. Skip it if you are not using agents that execute code or access external tools via configuration files. The bottom line: Pluto AgentGuard provides a necessary, specific audit for the configuration layer that grants AI agents their power, and its initial findings suggest most teams are getting it wrong.
Methodology
This v0 review is based on the founder's launch announcement and the associated public GitHub repository. All performance and vulnerability statistics are claims made by the author, Arpitha Dhanapathi, based on her own research. Independent benchmarks are pending.
- Tool: Pluto AgentGuard
- Version: Initial public release, June 2026
- Source Signal: "I Scanned 1,200 MCP Configs From GitHub. Here's What I Found." published on dev.to, accessed June 26, 2026.
- Source Artifact: Pluto AgentGuard GitHub Repository
This review covers the tool's stated functionality and the methodology of the founder's 1,200-config audit. The audit's collection phase used the GitHub Code Search API to find public claude_desktop_config.json and .mcp.json files, deduplicating them by content hash. The scanning phase used the Pluto AgentGuard tool itself to check for a predefined set of security issues. This review does not cover independent performance testing, false positive/negative rates, or long-term maintainability of the tool's vulnerability database.
What It Does
The tool is a command-line scanner for MCP configuration files, designed to identify common security misconfigurations that grant AI agents excessive or unsafe permissions.
Identifies high-risk agent capabilities
Pluto AgentGuard maintains a curated database of over 13 MCP server packages known to enable high-risk actions. It scans configs to flag the use of servers that permit shell execution, browser control, database write access, or source control modifications. The tool also checks if these high-risk capabilities are configured without a required human-in-the-loop (HITL) approval step.
Audits authentication and secrets
The scanner checks for two common access control failures. First, it identifies remote MCP endpoints (using http:// or https://) that are defined without any authentication headers or tokens. Second, it uses a set of over 18 regular expressions to detect hardcoded secrets like API keys, passwords, and private keys directly embedded within the configuration values.
Checks for resource exhaustion gaps
A key finding from the author's research was that zero of the 1,200 scanned configs implemented resource limits. The tool specifically checks for the absence of configuration keys that control response sizes (max_tokens, max_response_length) and session length (max_turns, session_timeout). These gaps can expose agents to denial-of-service or resource exhaustion attacks.
What's Interesting / What's Not
The most interesting aspect is the strategic framing. The AI security market has been fixated on controlling LLM outputs (harmful content, prompt injection). This work correctly identifies that as agents gain the ability to perform actions, the configuration layer governing those actions becomes the more critical attack surface. The founder's decision to launch the tool with a comprehensive, data-backed report on the problem's prevalence is highly effective. Publishing the methodology and the 20.7% critical finding rate makes a compelling case for the tool's necessity.
The primary concern is the tool's reliance on a "curated database" of dangerous server packages. While necessary, this creates a maintenance burden and a potential single point of failure. The database's current size (13+ servers) seems small, and its effectiveness depends entirely on how quickly it is updated as new MCP servers emerge. The project's long-term value will hinge on whether this database can be expanded and maintained, perhaps through community contributions. The focus on MCP is also a limitation; while the author calls it the "dominant standard," other agent frameworks with different configuration patterns are not covered.
Pricing
Pluto AgentGuard is free and open-source, available on GitHub. The repository does not specify a license as of this review.
Pricing snapshot taken June 26, 2026.
Verdict
Pluto AgentGuard addresses a real, urgent, and under-examined security risk in the AI agent ecosystem. The author's initial scan of 1,200 public configurations provides clear evidence that developers are routinely misconfiguring the very files that act as the security boundary for their AI agents. For teams using MCP, running this free scanner is a simple, high-value action. It's a targeted tool for a specific problem, and it executes that function well based on the founder's claims. While its long-term utility will depend on the maintenance of its rule set, its immediate value is clear.
What We'd Test Next
A v2 review would require hands-on testing. First, we would run Pluto AgentGuard against a custom-built corpus of both known-vulnerable and properly secured MCP configurations to assess its accuracy and check for false positives or negatives. Second, we would benchmark the author's performance claim that it can scan 1,200 configs in approximately three minutes. Finally, we would examine the process for updating the curated database of dangerous servers to understand how it will keep pace with the rapidly evolving agent landscape.
The investor read
Pluto AgentGuard itself is an open-source project, not a company. However, its launch is a significant market signal. It validates a new, unaddressed category: AI Agent Security Posture Management (ASPM). This is the agent-era equivalent of SAST or container image scanning. The market has focused on LLM firewalls for inputs and outputs, but this tool proves the critical risk lies in the agent's action-enabling configuration layer. A commercial company built on this insight, offering managed scans, CI/CD integration, automated remediation, and a continuously updated vulnerability database, would be a compelling investment. It represents a fundamental shift in the AI security stack, moving from content moderation to infrastructure and permissions hardening. This is a greenfield opportunity.
Every claim ties to a primary source. See our methodology.