AgentSploit: Open-Source Security Framework Targets AI Agent & MCP Server Vulnerabilities
Key Takeaways
- ▸AgentSploit is the first publicly available framework designed specifically for testing LLM agent security across the entire agentic attack surface
- ▸The framework identifies 5 new attack vector classes (tool hijacking, role confusion, delimiter escaping, Unicode smuggling, tool smuggling) that traditional security scanners cannot detect
- ▸It includes an integrated dashboard, permission graph analysis for multi-server privilege escalation paths, and a live agent runner to confirm exploitability against real Claude/OpenAI models
Summary
AgentSploit, a new open-source security framework, addresses a critical gap in enterprise AI security by providing the first purpose-built testing platform for LLM agents and Model Context Protocol (MCP) servers. Created for red teamers, security researchers, and product security teams, the framework detects vulnerabilities that legacy tools like Burp Suite, ZAP, and Semgrep cannot identify in the agentic attack surface.
The framework ships with 11 specialized modules covering novel attack vectors inherent to agent-based AI systems: tool description hijacking, indirect prompt injection via untrusted content (PDFs, web pages, calendar invites, tickets), privilege escalation through chained tool calls, and memory/context poisoning across sessions. Each module includes bundled vulnerable fixtures, allowing security teams to learn and test in training mode without API keys.
As Fortune 500 companies rapidly deploy LLM agents and MCP servers in 2026, AgentSploit's permission graph mapper (analogous to BloodHound for Active Directory) and multi-format payload generators provide systematic vulnerability assessment. The tool is available via pip and includes strict authorization requirements—mandating written permission before scanning any non-owned target.
- Open-source design with compliance-first authorization model and training mode for risk-free learning without external API access
Editorial Opinion
AgentSploit's release exposes a critical blind spot in enterprise AI security: traditional permission models and network scanners operate at the wrong abstraction layer for agentic systems. Tool descriptions, context windows, and multi-step reasoning chains create an entirely new attack surface that requires purpose-built instrumentation. The framework's existence is less a celebration of new tooling and more an urgent wake-up call—enterprise security teams deploying agents without this class of assessment are operating in the dark.
