Skip to main content
Measured savings across 11 LLMs, from Claude Opus 4.7 to Gemini Flash.→ See per-model data
Connect your client
All products

AI security scanning

Pro

Scan before you trust. Point your agent at code and get a security scan, over MCP.

Two security tools live on the gotcontext MCP gateway. gc_scan runs AST security rule packs over a code bundle you submit. gc_skill_scan gates a SKILL.md or an MCP tool manifest against the AI-native threats a generic code scanner never looks for, and returns a safe_to_install verdict your agent can act on. Both run inside your agent's normal workflow, with no separate CLI or dashboard.

Read the docsSee Pro pricing

gc_scan — scan code for security bugs

Submit a bundle of source files and gc_scan runs AST security rule packs across six categories, then returns structured findings with a rule id, severity, file, and line. It covers Python, JavaScript, TypeScript, and Rust.

  • auth
    Weak or missing authentication and authorization checks.
  • crypto
    Broken or misused cryptography and weak algorithms.
  • deserialization
    Unsafe deserialization of untrusted input.
  • secrets
    Hardcoded credentials, tokens, and API keys in source.
  • subprocess
    Command injection and unsafe shell or subprocess use.
  • tls
    Disabled certificate verification and weak TLS configuration.

gc_skill_scan — an install-gate for skills and MCP tools

Before your agent installs a SKILL.md or trusts an MCP tool manifest, scan it. gc_skill_scan runs a static analysis (no LLM, no code execution) across four AI-native threat families and returns a safe_to_install verdict. This is the check a generic code scanner does not model.

  • Tool-poisoning. Hidden instructions in a tool description that redirect an agent to exfiltrate data or act against the user.
  • Prompt-injection. Text engineered to override the agent's own instructions once the skill or manifest is loaded.
  • Least-privilege. Permissions and scopes far broader than the stated purpose actually needs.
  • Excessive-agency. Autonomy to take destructive or irreversible actions without a human in the loop.

Why scan over MCP

Traditional scanners run in CI, after the code is already written. gotcontext Security Scanning runs inside your agent, so a scan is one tool call away at the moment a decision is made: before you merge a diff, before you install a skill, before you wire up a new MCP server. And gc_skill_scan adds a layer no generic scanner ships: an install-gate for the AI-native supply chain, where the threat is a poisoned skill or an over-scoped tool rather than a CVE in a dependency.

What to expect

  • The gc_scan rule packs are in preview. They are a strong first pass on common security mistakes, not a certified replacement for a full SAST suite or a manual audit.
  • gc_skill_scan is a static analysis. It flags patterns and structural risks; it does not execute code or reason about intent the way a human reviewer would.
  • Both tools are available on the Pro plan and above, over the same MCP gateway as the rest of gotcontext. One bearer token, and your agent can scan.
Set it upSee Pro pricing