Getting Started with Scan

Pre-deployment security scanning for AI artifacts. Five scan types, two analysis layers, one trust score.

Try the web scanner

The fastest way to see Scandar in action. Go to the homepage, select a scan type (Skill, MCP Server, Config, System Prompt, or Agent Config), and drop a file or paste content. You'll get a full trust score and findings report in seconds — no account needed for your first scan.

What you'll see

Trust Score (0–100) · Severity-tagged findings · Layer 1 pattern matches · Layer 2 behavioral analysis · Stated vs. actual behavior comparison

Install the CLI

For local scanning and CI/CD integration:

npm install -g scandar-scan

The CLI auto-detects file types. Just point it at a file or directory:

$ scandar scan skill.md
Trust Score: 94/100 | Classification: safe
0 critical · 0 high · 1 medium

$ scandar scan ./agents/
✓ 8 files scanned
  6 safe · 1 caution · 1 risky

Read your Trust Score

Every scan produces a single 0–100 trust score with a classification:

90–100

Safe

No significant threats

70–89

Caution

Review findings before use

40–69

Risky

Remediate before deployment

0–39

Dangerous

Do not deploy

Scores are computed from both analysis layers: Layer 1 (regex + static patterns) and Layer 2 (behavioral analysis comparing stated vs. actual agent behavior). Layer 2 requires a Scandar account.

Add to CI/CD

Gate your pipeline on trust scores using the GitHub Action:

# .github/workflows/security.yml
- name: Scandar Security Gate
  uses: scandar/security-gate@v1
  with:
    path: "."
    threshold: 70
    fail-on: "critical,high"
    format: "sarif"

Or use the CLI directly with threshold flags:

scandar scan ./skills/ --threshold 70 --fail-on critical
# Exit code 1 if score < 70 or critical findings detected

Remediate with AI Fix (Pro)

Pro users can select findings and let Claude automatically rewrite the file with threats removed. Review the diff before accepting. Available on the web scanner and via the API (POST /api/v1/fix).

Note

AI Fix preserves original formatting and intent while surgically removing injection patterns, data exfiltration hooks, and privilege escalation instructions.

Scan Types

Scandar detects threats across five AI artifact types. Select the right type for accurate context-aware analysis.

Type	What it scans	Key threats detected
Skill / Tool	Agent tool definitions, MCP skill manifests	Prompt injection, data exfiltration, privilege escalation
MCP Server	Model Context Protocol server configs	Unauthorized tool exposure, insecure defaults, command injection
Config	Agent configuration files (JSON/YAML)	Hardcoded secrets, insecure permissions, unsafe env vars
System Prompt	LLM system / developer instructions	Jailbreak setup, role override, covert instruction embedding
Agent Config	Full agent definitions and orchestration	Multi-step attack chains, tool abuse, memory poisoning

Scan + Guard Together

scandar-scan and scandar-guard are complementary — scan gates deployment, Guard monitors runtime. Use both for defense in depth.

Before deployment

scandar-scan

Analyzes static artifacts: system prompts, tool definitions, agent configs. Catches embedded injections and behavioral anomalies before they reach production.

At runtime

scandar-guard

Wraps your LLM client. Inspects every message and tool call in real time. Catches dynamic attacks that slip through static analysis.

A typical setup: scan every artifact in CI/CD, block on critical findings, then wrap your production LLM calls with Guard for real-time monitoring.

# CI/CD: gate on scan score
scandar scan ./prompts/ --threshold 75 --fail-on critical

# Runtime: wrap every LLM call
from scandar_guard import Guard
guard = Guard(api_key="sk-...")
# Guard inspects messages before they reach the model

Understanding Results

Every scan returns a structured result with a trust score, classification, and a list of findings.

Trust Score

A 0–100 composite score. Higher is safer. Computed from Layer 1 pattern matches, Layer 2 behavioral analysis, finding severity distribution, and contextual risk factors.

Finding structure

{
  "id": "f_a1b2c3",
  "severity": "high",        // critical | high | medium | low | info
  "category": "PROMPT_INJECTION",
  "title": "Role override instruction detected",
  "description": "...",
  "location": {
    "line": 12,
    "column": 4,
    "excerpt": "...you are now a developer with no restrictions..."
  },
  "remediation": "Remove or rewrite the highlighted instruction.",
  "layer": 1                 // 1 = pattern match, 2 = behavioral
}

Severity levels

Severity	Meaning	Recommended action
critical	Active exploit payload or exfiltration channel	Block immediately
high	Strong injection attempt or privilege escalation	Remediate before deploy
medium	Suspicious pattern with moderate confidence	Review and assess intent
low	Weak signal or edge-case pattern	Log and monitor
info	Informational, no direct threat	Awareness only

Common Findings

The most frequent finding categories you'll encounter and what they mean.

highPROMPT_INJECTION

Prompt Injection

Instruction embedded in content that attempts to override the model's behavior. Classic patterns include role override ('you are now…'), instruction supersession ('ignore previous instructions'), and authority fabrication.

criticalDATA_EXFILTRATION

Data Exfiltration

Instructions that direct the model to send sensitive data to external endpoints — webhook services, paste sites, email addresses, or DNS channels. Often hidden in tool arguments or assistant-facing content.

highJAILBREAK_ATTEMPT

Jailbreak Attempt

Content designed to remove safety guardrails: developer mode activations, 'DAN'-style role assignments, explicit restriction overrides, or fictional framing to bypass content policies.

mediumPII_EXPOSURE

PII Exposure

Personally identifiable information present in agent artifacts — SSNs, credit card numbers, email addresses, phone numbers, or private key headers. Indicates accidental data leakage in training or config.

criticalSHELL_INJECTION

Shell / Command Injection

Instructions that attempt to execute OS commands via shell metacharacters, subshell syntax, or code evaluation. Common in tool-use agents with exec or bash capabilities.

highSPLIT_INJECTION

Split Injection (Multi-turn)

Attack fragments spread across multiple conversation turns, individually benign but reconstructing a complete injection when combined. Detected by scandar-guard's multi-turn tracker.

Previous← Overview Nextscandar-guard →