Concept

Metasploit for AI agents

HackMyAgent is the offensive security toolkit for AI agents. It scans an agent or MCP server, attacks it with real adversarial payloads, and fixes what it finds. Open source under Apache-2.0.

Scan your project View on GitHub

Why Metasploit

Metasploit gave security teams a single offensive toolkit to probe systems the way an attacker would. HackMyAgent does that for AI agents. A red-team run sends real adversarial payloads at a live agent and reports exactly what landed. Against the LegacyBot target in the Damn Vulnerable AI Agent, all 28 of 28 payloads in a passive run succeeded across 14 categories.

Scan

209 static checks plus 29 semantic checks find hardcoded credentials, exposed endpoints, MCP misconfigurations, and supply chain risk.

Attack

164 adversarial payloads run real prompt injection, jailbreak, and tool-abuse attacks against a live agent, then report what landed.

Fix

Every finding ships with a verify command and a runnable fix. Auto remediation can apply the fix with rollback.

HackMyAgent scan result: 42 out of 100, three critical findings, recoverable to 85 by fixing credentials.

A HackMyAgent scan reports a score, the critical findings, and the path to fix them.

Run it

Scan the current project, no flags required:

npx hackmyagent secure

Run a red-team attack against a live agent endpoint:

npx hackmyagent attack http://localhost:7003 --intensity passive

Read the docs View on GitHub Practice on DVAA