Open Source AI Agent Security Scanner

What Sunglasses is

Sunglasses is an open-source AI agent security framework — a free, MIT-licensed Python library and detection-pattern catalog that scans every input an AI agent processes before the agent acts on it. It covers text, code, documents, MCP tool descriptions, READMEs, skills, retrieval results, and agent-to-agent messages. The goal is to intercept attacks at ingestion time, before they reach model reasoning or tool calls.

The design is local-first. Sunglasses runs entirely on your infrastructure with no API keys required, no cloud calls in the hot path, and no outbound telemetry by default. You own the data you scan. The library is MIT licensed with commercial use, modification, bundling, and redistribution all permitted.

For a deeper look at the architecture — the 3-stage clean → detect → decide pipeline — read how Sunglasses works. For a plain-language introduction to why this matters, start with the AI agent security 101 guide.

What Sunglasses catches

Sunglasses detects attacks in two broad groups: production-ready coverage and experimental coverage. Here is the honest breakdown.

Strong coverage (production-ready)

• Direct prompt injection — "ignore previous instructions" and 200+ obfuscated variants across 23 languages
• Indirect prompt injection — malicious instructions hidden in documents, retrieval results, web pages, and RAG content your agent reads
• MCP tool poisoning — malicious tool descriptions, manifest manipulation, tool-output policy overrides that turn legitimate MCP servers into attack vectors
• Cross-agent injection — payloads that propagate from agent A to agent B during handoff, including forged revocation receipts and persona-scope rebind attacks (16 new patterns in v0.2.27)
• Credential exfiltration — payloads designed to extract API keys, secrets, and tokens through agent tool calls
• State sync poisoning — A2A protocol-level attacks that corrupt shared agent state
• Runtime governance bypass — payloads targeting guardrail and governance orchestration layers
• Encoded payload obfuscation — base64, ROT13, hex, URL-encoded, HTML-entity, Unicode homoglyph, and mixed-script evasions unwrapped by the normalization layer before detection
• Supply chain attack signals — package and repository signals indicating poisoned dependencies
• README poisoning — hidden instructions in repo READMEs that agents read at install time
• Jailbreak attempt families — roleplay/persona overrides and system-prompt override framings mapped across 54 categories

The full attack taxonomy is documented in the MCP Attack Atlas and cross-referenced with OWASP and MITRE in the compliance section.

Experimental coverage (functional, conservative confidence)

• Audio prompt injection via Whisper transcription path
• Video prompt injection via FFmpeg extraction and frame analysis

Audio and video paths are marked experimental — useful coverage now, but conservative confidence claims until larger public validation sets are published. The FAQ has more on what honest coverage claims look like for both paths.

Install and first scan

Sunglasses installs from PyPI in under a minute. No build tools, no API keys, no accounts required.

After install, run your first scan from the command line:

Or use the Python API directly in your agent pipeline:

The default path covers core text, image, PDF, and QR scanning. Deeper media paths (audio/video) require extra dependencies documented in the Sunglasses manual. For integration walkthroughs with specific frameworks (LangChain, CrewAI, Claude Code), see how it works. Source and full wiring examples are at github.com/sunglasses-dev/sunglasses.

Proof of work

Sunglasses is an active operational security project, not an abandoned repo. Here is what has shipped.

CVP benchmark: Anthropic Cyber Verification Program

Sunglasses is approved by Anthropic's Cyber Verification Program (CVP), organization ID d4b32d1d-..., granted April 16, 2026. CVP authorization unlocks dual-use offensive cybersecurity research with the most capable Claude models for evaluation purposes.

We have published 6 model evaluation reports plus 1 family synthesis report — the most detailed public benchmark series comparing Claude model security behaviors across the Anthropic model family. The evaluation tested each model on our internal 64/64 adversarial corpus, measuring recall, false-positive rate, and detection latency. Read the full methodology and results at the CVP page and in the reports index.

• Run 1: Claude Opus 4.7 (effort MAX)
• Run 2: Claude Opus 4.7 (second run, consistency validation)
• Run 3: Claude Haiku 4.5
• Run 4: Claude Sonnet 4.6
• Run 5: Claude Opus 4.6
• Run 6: Claude Opus 4.7 (effort variation evaluation)
• Family synthesis: cross-model analysis across all runs

Pattern database

Sunglasses v0.2.27 ships 444 detection patterns across 54 attack categories, with 2,296 detection keywords and coverage across 23 languages. The pattern catalog is maintained through autonomous daily research cycles. Internal adversarial testing shows 100% recall on the current 64/64 adversarial corpus, with an 8.3% false-positive rate on 12 benign controls.

The 100% recall figure applies to one internal corpus run — it is not a universal claim. New attack patterns are found and shipped regularly. See the machine-readable handbook for the canonical, verified fact sheet that answer engines and LLM agents use as their reference source.

Published vulnerability reports

The team has published 3 concrete public vulnerability reports to date: Axios RAT campaign analysis, Claude Code supply-chain attack research, and WordPress bot attack telemetry analysis. These are not marketing placeholders — they are real research outputs from live daily threat pipeline cycles. Read them at sunglasses.dev/reports.