Arc Security

Name: Arc Security
Author: ArcSelf

Audit third-party and custom agent skills for malicious patterns before you wire them into Claude Code or Cursor.

Overview

com.arcself/arc-security is a MCP server for the Ship phase that scans AI agent skills across 25 attack classes and supports runtime monitoring.

What is this MCP server?

Covers 25 documented attack classes aimed at agent skill payloads
Catalog cites 1,316+ historical findings from real scans
npm stdio package arc-security-mcp (v0.5.1) for local MCP hosts
Runtime monitoring complements one-off directory scans
GitHub source: ArcSelf/arc-security-mcp
25 attack classes
1,316+ cited findings
Server version 0.5.1

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

What problem does it solve?

Agent skills look harmless until a prompt-injection or credential-stealing pattern ships inside a skill you trusted from a marketplace.

Who is it for?

Indie builders curating many third-party skills for Claude Code who want a dedicated MCP security pass before enabling tools.

Skip if: Teams that only need generic dependency SAST on a Node repo without any agent-skill surface area.

What do I get? / Deliverables

You get classified findings on skill packages and ongoing monitoring hooks so you can block or quarantine risky skills before production use.

Findings mapped to 25 attack classes
Actionable pass/fail signal per skill package
Runtime monitoring integration when enabled

Recommended MCP Servers

1Claw Vault1clawAI/1claw-mcp

1Claw Vault exposes a stdio MCP server (@1claw/mcp) that connects AI agents to HSM-backed secret storage with just-in-ti…2 stars

1passwordCakeRepository/1Password-MCP

The 1Password MCP server lets solo builders wire service-account access into Claude Code, Cursor, or other stdio MCP hos…16 stars

402sentinel Mcpkaditang/402sentinel-mcp

402 Sentinel MCP gives solo builders and agent authors a pre-flight check before honoring x402 payment flows on Base. In…1 stars

A2adependencyinspector Mcpclauxel/a2a-dependency-inspector-mcp

A2A Dependency Inspector MCP is a hosted Clauxel server for builders shipping agent-to-agent (A2A) workflows who must pr…

A2a Governance Bridge Mcp

A2A Governance Bridge is a Model Context Protocol server that exposes governance-oriented tools for multi-agent setups: …

A2aidentitytoll Mcpclauxel/a2a-identity-toll-mcp

A2A Identity Toll MCP is a Clauxel-hosted remote MCP server that acts as an identity and policy toll booth for agent-to-…

Journey fit

Primary fit

Skill supply-chain risk shows up right before and after you adopt new agent tooling—canonical shelf is ship/security alongside review and launch prep. Static scans plus runtime monitoring map directly to security subphase work for AI-coding workflows.

How it compares

Skill-focused security MCP, not a general code-review skill or OWASP ZAP replacement.

Common Questions / FAQ

Who is com.arcself/arc-security for?

Solo builders and small teams using Claude Code, Cursor, or similar agents who install skills from registries and want supply-chain scanning via MCP.

When should I use com.arcself/arc-security?

Run it during ship/security whenever you add or update agent skills, especially before granting network or filesystem tools to a new skill.

How do I add com.arcself/arc-security to my agent?

Add the npm stdio server arc-security-mcp (v0.5.1) to your MCP client config pointing at the published package, then invoke its scan tools from your agent session.

Arc Security

Audit third-party and custom agent skills for malicious patterns before you wire them into Claude Code or Cursor.

Overview

com.arcself/arc-security is a MCP server for the Ship phase that scans AI agent skills across 25 attack classes and supports runtime monitoring.

What is this MCP server?

Covers 25 documented attack classes aimed at agent skill payloads
Catalog cites 1,316+ historical findings from real scans
npm stdio package arc-security-mcp (v0.5.1) for local MCP hosts
Runtime monitoring complements one-off directory scans
GitHub source: ArcSelf/arc-security-mcp
25 attack classes
1,316+ cited findings
Server version 0.5.1

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

What problem does it solve?

Agent skills look harmless until a prompt-injection or credential-stealing pattern ships inside a skill you trusted from a marketplace.

Who is it for?

Indie builders curating many third-party skills for Claude Code who want a dedicated MCP security pass before enabling tools.

Skip if: Teams that only need generic dependency SAST on a Node repo without any agent-skill surface area.

What do I get? / Deliverables

You get classified findings on skill packages and ongoing monitoring hooks so you can block or quarantine risky skills before production use.

Findings mapped to 25 attack classes
Actionable pass/fail signal per skill package
Runtime monitoring integration when enabled

Recommended MCP Servers

1Claw Vault1clawAI/1claw-mcp

1Claw Vault exposes a stdio MCP server (@1claw/mcp) that connects AI agents to HSM-backed secret storage with just-in-ti…2 stars

1passwordCakeRepository/1Password-MCP

The 1Password MCP server lets solo builders wire service-account access into Claude Code, Cursor, or other stdio MCP hos…16 stars

402sentinel Mcpkaditang/402sentinel-mcp

402 Sentinel MCP gives solo builders and agent authors a pre-flight check before honoring x402 payment flows on Base. In…1 stars

A2adependencyinspector Mcpclauxel/a2a-dependency-inspector-mcp

A2A Dependency Inspector MCP is a hosted Clauxel server for builders shipping agent-to-agent (A2A) workflows who must pr…

A2a Governance Bridge Mcp

A2A Governance Bridge is a Model Context Protocol server that exposes governance-oriented tools for multi-agent setups: …

A2aidentitytoll Mcpclauxel/a2a-identity-toll-mcp

A2A Identity Toll MCP is a Clauxel-hosted remote MCP server that acts as an identity and policy toll booth for agent-to-…

Journey fit

Primary fit

How it compares

Skill-focused security MCP, not a general code-review skill or OWASP ZAP replacement.

Common Questions / FAQ

Who is com.arcself/arc-security for?

Solo builders and small teams using Claude Code, Cursor, or similar agents who install skills from registries and want supply-chain scanning via MCP.

When should I use com.arcself/arc-security?

Run it during ship/security whenever you add or update agent skills, especially before granting network or filesystem tools to a new skill.

How do I add com.arcself/arc-security to my agent?

Add the npm stdio server arc-security-mcp (v0.5.1) to your MCP client config pointing at the published package, then invoke its scan tools from your agent session.

Overview

What is this MCP server?

What problem does it solve?

Who is it for?

What do I get? / Deliverables

Recommended MCP Servers

Journey fit

Who is com.arcself/arc-security for?

When should I use com.arcself/arc-security?

How do I add com.arcself/arc-security to my agent?

This week for builders

Overview

What is this MCP server?

What problem does it solve?

Who is it for?

What do I get? / Deliverables

Recommended MCP Servers

Journey fit

Who is com.arcself/arc-security for?

When should I use com.arcself/arc-security?

How do I add com.arcself/arc-security to my agent?