Skip to content
Security

Security & Self-Audit

AgentVerus scans AI agent skills for security and trust risks. A scanner that enforces a standard has to meet that standard itself — so we adversarially audit our own tooling and publish what we find. This page documents that practice.

How we audit ourselves

0.8.1 — we found and fixed a ReDoS in our own scanner

During an internal adversarial audit, we red-teamed the scanner against itself and found a real denial-of-service: a crafted skill file triggered catastrophic regex backtracking (ReDoS). A roughly 2 MB input took about 104 seconds to scan — long enough to hang any pipeline that scanned attacker-supplied content.

~104s
Before (2 MB input)
<180ms
After (0.8.1)
314
Tests green

The fix bounded roughly 90 regex patterns to line-confined windows and rewrote the HTML-comment detector as a linear scan. Critically, the change is behavior-preserving: detection is byte-identical on a 224-sample benchmark (F1 0.8425), so the hardening cost nothing in coverage.

If you run the scanner

Upgrade to 0.8.1

Anyone on 0.8.0 or earlier should upgrade. The fix is published; the upgrade is the mitigation.

npm install agentverus-scanner@latest

The MCP server agentverus-scanner-mcp@0.1.2 depends on the hardened core, so updating it pulls the fix automatically.

Responsible disclosure

Found a vulnerability in the scanner, the API, or this site? Report it privately via GitHub Security Advisories. Please give us a reasonable window to ship a fix before public disclosure.

  • We triage reports quickly and credit reporters who want it.
  • Security fixes ship with a public changelog entry and, where relevant, an advisory.
  • We favor behavior-preserving fixes so a security patch never silently weakens detection.

The standard we hold ourselves to

Published trust findings come from six weighted analyzers (permissions, injection, dependencies, behavioral, content, and code-safety), mapped to the ASST taxonomy. Releases are attestable: CI publishes only on a version-matched tag, so a published version always corresponds to a known commit.