audr.dev · fresh local posture checks · advisory proof: CVE-2026-49257 · published 2026-06-18 (2d ago)
Find risky agent posture across secrets exposure, shell hooks, trusted workspaces, MCP servers, and CI agent paths. Offline single binary. Shareable HTML, SARIF, and JSON evidence.
curl -fsSL https://audr.dev/install.sh | sh
Design-partner pilot: 5–20 developer machines, redacted report, no account, no upload by default.
Signed release. SHA-256 verified. No telemetry. Inspect install.sh before running.
Then run audr scan — scans $HOME, opens an HTML report, and prints a forensic summary.
what audr does
Audr scans the local config risk your AI coding agents create, integrates the package and secret scanners you already trust, and then lets agents close the loop on the findings they understand.
01
Native rules read Claude Code, Cursor, Codex CLI, Windsurf, MCP servers, agent skills, shell rcs, and GitHub Actions for risky agent posture — exposed secrets, shell hooks, trusted-workspace drift, unpinned package roots.
Offline. Reads the developer machine where the configs live.
What rules ship today →02
Audr coordinates four backends and presents one report: the native agent-rule engine, OSV-Scanner for package CVEs, Betterleaks for secret scanning with provider validation, and ospkg for OS-package CVEs on Linux.
Audr is not yet another vuln DB. The DB authors do their job; audr does the orchestration.
Inside audr — the four backends →03
Pipe one finding to your coding agent as an injection-safe prompt. The agent edits source. Audr re-scans against the prior baseline and confirms the finding is gone — without trusting the agent's claim.
Stable finding ids, suppressions-off diff, published JSON Schema.
See the loop →in-browser scan · proof of pillar 01
Paste a redacted config and see the same agent-posture checks Audr runs locally.
Your config never leaves your browser. View source: github.com/harshmaur/audr-web. WASM blob SHA-256: c036c6354d04…
ai fix loop
Pipe one finding to Claude Code, Cursor, Codex CLI, or any agent that reads stdin. The agent edits source. Audr re-scans against the baseline and tells you what got fixed — without trusting the agent's claim that the fix worked.
# baseline scan audr scan . -f json -o before.json # agent reads the actionable subset audr findings ls \ --from before.json \ --severity ge:high \ --fix-authority you # render one finding as an injection-safe prompt audr findings show <id> \ --from before.json --format prompt | <agent> # agent edits source # audr re-scans and tells you what got fixed audr scan . -f json --baseline=before.json # read baseline_diff.resolved
injection-safe prompts
Untrusted file content wraps in an UNTRUSTED-CONTEXT envelope. ANSI escapes, zero-width and bidi Unicode, and ASCII smuggling via Unicode Tag-block codepoints all stripped before the agent sees the prompt. A 19-pattern adversarial corpus plus a Go fuzz target with 64k+ executions ran clean.
suppressions-off diff
The --baseline diff is computed against the unsuppressed scanner result. An agent that adds a rule to .audrignore instead of fixing the code does not see the finding appear in baseline_diff.resolved. The security invariant is enforced, not advertised.
stable ids across surfaces
The 12-character finding id the CLI prints is the same id the daemon dashboard's "Copy AI prompt" affordance produces and the same SQLite primary key the findings table uses. Pasting between surfaces just works.
wire shape published
The JSON Schema for audr scan -f json output ships at /schema/report.v1.json and is embedded in the binary via audr scan --print-schema. Validate audr output online or offline; same bytes either way.
what happens after install
Security teams can trial Audr on a few laptops without routing sensitive developer configs through a hosted service.
01
Use the curl installer or verify the release yourself before it touches a developer machine.
No account, no SaaS tenant, no background daemon.
02
Audr reads AI-agent configs, MCP server definitions, trusted workspaces, hooks, skills, and CI agent paths from the machine it runs on.
No upload by default. No telemetry. Scans complete in seconds.
03
Open the local HTML report or export SARIF/JSON for security review, ticketing, or CI baselines.
Findings include evidence path/key, attacker impact, and remediation order.
trust and procurement proof
Start with a small design-partner fleet: 5–20 developer machines, redacted evidence, one prioritized attack-path report, and a clear go/no-go for wider rollout.
Runs on the developer machine. No telemetry, no third-party analytics, and no hosted account required for the local scan path.
Single static binary with signed releases, SHA-256 checks, cosign verification, SBOM/provenance hooks, and an inspectable install script.
HTML for executive review, SARIF for code/security tooling, and JSON for fleet baselines or evidence bundles.
Audr inspects AI-agent configuration surfaces: Claude Code, Cursor, Codex CLI, Windsurf, MCP servers, agent skills, trusted repos, and CI paths.
fresh agent-security coverage · local evidence, not vuln-feed noise
CVEs are proof of freshness. The product is posture: what your agents can do, what they trust, and which secrets or endpoints they can reach.
CVE-2026-49257
StarTreeData · mcp-pinot
mcp-pinot 3.0.1 and earlier default to an unauthenticated HTTP MCP server on 0.0.0.0:8080.
✓ rule: mcp-pinot-unauth-http-default
CVE-2026-48124
Cursor · Cursor Desktop
workspace-defined Claude hook commands could run without dedicated approval before 3.0.0.
✓ rule: claude-hook-shell-rce
CVE-2026-11624
Google APIs · MCP Toolbox for Databases
wildcard Origin and Host defaults allow DNS rebinding against local Toolbox MCP servers before hardened startup flags are used.
✓ rule: googleapis-mcp-toolbox-wildcard-origin-host
CVE-2026-53838
OpenClaw · OpenClaw
node pairing reconnection can confuse approval scope decisions before 2026.5.27.
✓ rule: openclaw-node-pairing-reconnect-scope-confusion
CVE-2026-53819
OpenClaw · OpenClaw
workspace .env files can override Homebrew executable selection during skill install before 2026.5.27.
✓ rule: openclaw-skill-install-homebrew-env-override
what a real scan looks like
The report is organized for security triage: risk, evidence, attacker gets, fix order, and business impact — not just a dump of rule IDs.
200
laptops scanned
14
critical findings
3
priority attack paths
4.2s
scan time