Credential-chain CAN_REACH
Server A reads a credential. Server B uses that credential. An agent reaches B's resources without ever trusting B directly. The marquee detection — config files alone never reveal it.
v0.5.0
embedding-inversion extractor shipped
Attack-path discovery for AI agent infrastructure.
AgentHound is the BloodHound for MCP/A2A config sprawl. It enumerates MCP servers, A2A agents and AI-agent client configs across an estate, builds a directed trust graph in Neo4j, and uses shortest-path algorithms to surface multi-hop attack paths the configuration files alone never reveal.
$
curl -sSfL https://raw.githubusercontent.com/adithyan-ak/agenthound/main/install.sh | sh
Detection coverage
Maps the trust graph across MCP servers, A2A agents, LiteLLM, Ollama, vLLM, Qdrant, MLflow, Jupyter, Open WebUI, and LangServe.
The full operator workflow
Seven verbs. One graph. End-to-end engagement.
From discovery to looting, exploitation, and clean rollback — every step writes deterministic IDs into the same Neo4j graph, so the pieces compose without manual stitching.
01
scan
Enumerate MCP/A2A configs and AI/ML services across hosts.
02
discover
JSON-RPC initialize probes + A2A agent-card fetches over the wire.
03
loot
Read-only HTTP credential extraction (LiteLLM master key, Ollama).
04
poison
Mutate tool descriptions or instruction files. --commit required.
05
implant
Plant persistence in .cursor/mcp.json & friends.
06
revert
Idempotent rollback by engagement-id. Receipts gate every mutation.
07
extract
Embedding-inversion on GGUF weights. Detect fine-tune training signals.
Real output, not a mock
Run a query. Get a critical path.
Pre-built detections map to OWASP MCP Top 10 + OWASP Agentic Top 10. Or drop into raw Cypher against the Neo4j graph for ad-hoc threat hunting.
Graph schema, in motion
Agent
TRUSTS_SERVER
MCPServer
MCPServer
EXPOSES_CREDENTIAL
Credential
LiteLLM
USES_CREDENTIAL
Credential
Agent
CAN_REACH ⚡
LiteLLM
MCPTool
SHADOWS
MCPTool
Agent
CAN_EXFILTRATE_VIA
Qdrant
IDs are deterministic SHA-256. Credentials merge across collectors via value_hash.
What AgentHound finds
The paths static config scanners can't see.
Single-file linters look at one config in isolation. AgentHound builds a directed trust graph across configs, services, and credentials — then runs shortest-path queries to surface multi-hop attack chains across protocols.
Shell + DB access
Transitive paths to filesystem, exec, and database tools across protocol boundaries.
Tool poisoning
Detects prompt-injection patterns in MCP tool descriptions across scans.
Tool shadowing
Identifies malicious tools mimicking legitimate names to hijack agent invocations.
Rug-pull detection
Spots supply-chain attacks via description-hash drift between successive scans.
Cross-protocol pivots
A2A → MCP traversal via host co-location and shared identities — the academically novel paths that span agent meshes and tool servers in one query.
Forensic-grade reversibility
Every poison and implant action persists a Receipt before it mutates anything. revert is idempotent and rolls every destructive action back by engagement-id. Reverters are compile-time mandatory — embedded interface, not optional discipline.
Modular by design
21 self-registering modules. Add yours in an afternoon.
Each module implements a single SDK action interface — Fingerprinter, Looter, Poisoner, Implanter, Extractor, or Enumerator — and registers itself via init(). The collector binary stays lean (~9 MiB) by design.
configEnum
Discover and parse local MCP/A2A client configs, instruction files, and credentials.
mcpEnum
Enumerate MCP servers, tools, resources, prompts, and signals over the wire.
a2aEnum
Fetch and parse A2A agent cards over HTTP, including JWS signature verification.
networkscanScan
Scan a CIDR / host / file-of-targets for AI/ML services on standard ports.
protoscanScan
Discover MCP servers via JSON-RPC initialize probe.
litellmfpFingerprint
Identify LiteLLM proxy/gateway servers via /health/liveliness.
litellmlootLoot
Extract upstream provider credentials via the LiteLLM master key (GET only).
ollamafpFingerprint
Identify Ollama LLM servers via /api/version.
ollamalootLoot
Anonymous model inventory + modelfiles; flag-gated weights and embeddings.
vllmfpFingerprint
Identify vLLM inference servers via /v1/models.
qdrantfpFingerprint
Identify Qdrant vector databases by canonical title + version JSON.
mlflowfpFingerprint
Identify MLflow Tracking Server via the experiments-search API.
mlflowlootLoot
Anonymous, GET-only experiment + run metadata extraction from MLflow.
jupyterfpFingerprint
Identify Jupyter Server via /api/status.
jupyterlootLoot
Anonymous notebook inventory and active session enumeration.
langservefpFingerprint
Identify LangServe (LangChain HTTP API) by OpenAPI title.
openwebuifpFingerprint
Identify Open WebUI; capture its configured Ollama backend.
mcppoisonPoison
Rewrite MCP tool descriptions. Reverter mandatory; --commit=false default.
instructionpoisonPoison
Sentinel-bracketed instruction injection in CLAUDE.md / AGENTS.md / .cursorrules.
mcpconfigimplantImplant
Add a malicious MCP server entry to a client config (.cursor/mcp.json, etc).
embeddinginvertExtract
Detect fine-tune training signals via embedding-layer outlier analysis on GGUF.
Get started in 60 seconds
Two binaries. No daemons. No telemetry.
The collector is single-binary, ~9 MiB stripped. The server runs Neo4j + Postgres locally and binds 127.0.0.1:8080. No application-layer auth — single-user by design.
1. Install the collector
Single static Go binary. Linux, macOS, Windows.
# one-liner curl -sSfL https://raw.githubusercontent.com/adithyan-ak/agenthound/main/install.sh | sh # or via Go go install github.com/adithyan-ak/agenthound/collector/cmd/agenthound@latest
2. Run a scan
Local config discovery is offline-safe.
# local configs only — no network agenthound scan --config # network sweep agenthound scan 10.0.0.0/24 \ --engagement-id ENG-001
3. Stand up the server
Docker Compose brings up Neo4j + Postgres + UI.
# bring up the stack docker compose up -d # ingest scan output agenthound scan --config --output - \ | agenthound-server ingest -