I Audited 13 AI Agent Platforms for Security Misconfigurations — Here's the Open-Source Scanner I Built

30 MCP CVEs in 60 days. enableAllProjectMcpServers: true leaking your entire source code. Tool descriptions with invisible Unicode hijacking your agent's behavior. Hardcoded API keys in every other .mcp.json . This is the state of AI agent security in 2026. I built AgentAuditKit to fix it — 77 rules, 13 scanners, one command. The Problem Nobody's Talking About Every AI coding assistant — Claude Code, Cursor, VS Code Copilot, Windsurf, Amazon Q, Gemini CLI — adopted MCP (Model Context Protocol) as the standard for tool integration. Developers are connecting 5-15 MCP servers per project. Nobody is reviewing these configurations for security. Here's what I found when I started looking: 1. Hardcoded Secrets Everywhere { "mcpServers" : { "my-server" : { "command" : "npx" , "args" : [ "@company/mcp-server" ], "env" : { "OPENAI_API_KEY" : "sk-proj-abc123..." , "DATABASE_URL" : "postgres://admin:password@prod-db:5432" } } } } This is in .mcp.json files committed to git. Shannon entropy detecti