Firmis Labs

The security platform for AI agents.

Firmis scans your attack surface, auto-fixes vulnerabilities, and blocks threats at runtime. One tool for your entire agent stack.

$npx firmis-cli init

Sets up and runs your first scan.

Read the research
Free and open source.Star on GitHub
Protecting developers on Claude Code

Every agent you install gets access to everything.

Your credentials, SSH keys, environment variables, database connections, and local files. Most agents never ask. Most developers never check.

AWS Credentials
Cloud access keys sitting in ~/.aws/credentials. Any connected tool can read them.
SSH Private Keys
Your server login keys. Agents see the same ~/.ssh directory you do.
Git Credentials
GitHub tokens and repo passwords stored in git config, visible to every agent.
Environment Variables
Every API key in your .env files gets inherited by agent subprocesses.
Database Connections
Connection strings with passwords in plaintext. One compromised agent, full DB access.
Local Config Files
Dotfiles, rc files, tool configs. Secrets in plaintext, readable by any process.

The numbers are clear.

Independent research and continuous scanning of agent skills across the ecosystem.

7.1%
of skills steal credentials
Firmis scan
72.8%
tool poisoning success rate
MCPTox research
30s
to scan your stack
avg. runtime
Any
agent platform
auto-detected

Auto-detects your stack. No config needed.

Scan. Fix. Monitor.

One scan maps your attack surface. One command patches it. One proxy blocks threats at runtime.

1

Scan

Maps your attack surface across AI agents, MCP servers, and configs. Known vulnerabilities, fixable findings, and unverified findings. Add --deep to verify exploitability.

$ firmis scan
Scanning MCP (5) · Claude (3) · Cursor (2)
Attack surface: 12 findings
Known vulnerabilities (2)
Fixable findings (4)
Unverified findings (6)
2

Fix

Auto-patches fixable findings. Redacts secrets, quarantines malware, tightens permissions. Full backups before every change.

$ firmis fix
Redacted API key → process.env
Quarantined malicious tool
? Disable poisoned server? [Y/n]
3 applied · 1 finding remaining
3

Monitor

Runtime proxy for your AI agents. Intercepts every tool call and blocks threats before they execute.

$ firmis monitor --install
Claude Code hooks installed
Cursor hooks installed
[12:34] exfil-creds ✕ BLOCKED
[12:35] npm test ✓ allowed

Scan is free and open source. Fix and Monitor start at $49/mo.

See it in action

One command. 30 seconds. Results in your terminal and your workspace.

Terminal
$ firmis scan
Scanning MCP (5) · Claude (3) · Cursor (2)
Attack surface: 12 findings mapped
Known vulnerabilities (2)
└── diff@7.0.0 — GHSA-73rr-hh4g-fpgx (fix available)
Fixable findings (4)
├── API key in plaintext config ........... 2
└── Overly broad file permissions ...... 2
Unverified findings (6)
└── Run firmis scan --deep to verify
Results synced to workspace
Workspace
workspace.firmislabs.com
Findings Mapped
12
After fix
4 findings resolved
2
Vulnerabilities
4
Fixable
6
Unverified
API key redacted2m ago
Malicious tool quarantined2m ago
exfil-creds blocked at runtime1m ago

Free: detect threats, 24-hour history. Pro: detect + block, 7-day history. Business: detect + block + enforce policies, 90-day history.

Live Data

AI Agent Security Index

Every scan contributes anonymous threat data to a shared intelligence feed. See what the community is finding across AI agent deployments, updated daily.

Credential Harvesting
Top threat
MCP Servers
Most scanned
2,400+
Findings mapped
View the Security Index

Powered by anonymous scan telemetry. No code or file paths shared.

Questions

Yes. Every AI agent you install inherits access to your files, API keys, and environment variables. MCP servers, Claude Code skills, Cursor extensions. Research shows 7.1% of agent marketplace skills are exfiltrating credentials or sending data to external servers. Most developers never audit what these tools access.

No catch. Run "npx firmis-cli scan" and you get a full attack surface map: known vulnerabilities, fixable findings, and unverified findings. No account, no credit card.

You will see messages like "This skill is reading your AWS passwords and sending them to an unknown server." Plain English, not CVE codes. Every finding explains what is wrong and what to do about it.

No. The scan takes about 30 seconds and runs completely offline. It reads your config files without touching running agents.

Every finding includes control mappings for SOC 2 (CC6/CC7), EU AI Act (Article 9/15), GDPR (Article 32), NIST AI RMF, OWASP Agentic Top 10, ISO 42001, and MITRE ATLAS. Run "firmis scan", open the HTML report, and share the compliance section directly with auditors.

An attacker compromises an MCP server to inject malicious instructions that hijack your AI agent. MCPTox research measured a 72.8% attack success rate on popular LLMs. Firmis scans your MCP configs for known poisoning patterns, malicious servers, and suspicious tool definitions.

Deep scan uses 5 AI credits per component analyzed. Rule-based scanning is always free and unlimited. The free tier includes 50 credits per month, and your first deep scan each month is free regardless of balance. When credits run out, the AI layer pauses but rule-based scanning continues. No surprise charges. Pro ($49/mo) includes 500 credits, with top-up packs starting at 6c/credit.

Get started in 30 seconds.

One command sets up Firmis and scans your entire agent stack. Free, open source, no account required.

$npx firmis-cli init

Then run firmis scan to check your stack.

Security for AI agents. Free to scan. No sign-up required.