I Audited 13 AI Agent Platforms for Security Misconfigurations — Here's the Open-Source Scanner I Built

30 MCP CVEs in 60 days. enableAllProjectMcpServers: true leaking your entire source code. Tool descriptions with invisible Unicode hijacking your agent's behavior. Hardcoded API keys in every other .mcp.json. This is the state of AI agent security in 2026. I built AgentAuditKit to fix it — 77 rules, 13 scanners, one command. The Problem Nobody's Talking About Every AI coding assistant — Claude Code, Cursor, VS Code Copilot, Windsurf, Amazon Q, Gemini CLI — adopted MCP (Model Context Protocol) as the standard for tool integration. Developers are connecting 5-15 MCP servers per project. Nobody is reviewing these configurations for security. Here's what I found when I started looking: 1. Hardcoded Secrets Everywhere { "mcpServers": { "my-server": { "command": "npx", "args": ["@company/mcp-server"], "env": { "OPENAI_API_KEY": "sk-proj-abc123...", "DATABASE_URL": "postgres://admin:password@prod-db:5432" } } } } This is in .mcp.json files committed to git. Shannon entropy detection catches t