Detection Rules
18 rules across 7 scanner modules. Every finding Nixer can flag — with vulnerable code patterns, real-world breach examples, and remediation steps.
Secrets Scanner
Detects API keys, tokens, private keys, and database connection strings committed to source code or config files.
Prompt Injection Scanner
Live endpoint probing for direct injection, indirect injection, system-prompt leakage, jailbreaks, and tool-call abuse.
nixer/prompt-injection/direct
Direct Prompt Injection — Instruction Override
User input overrides the system prompt and hijacks agent behavior.
nixer/prompt-injection/indirect
Indirect Prompt Injection via Retrieved Content
Malicious instructions embedded in external data the agent fetches.
nixer/prompt-injection/leakage
System Prompt Leakage
Agent reveals its system prompt instructions in response to probes.
MCP Server Probe
Discovers and probes Model Context Protocol endpoints for authentication gaps and exposed tool manifests.
Auth & Fraud Scanner
Credential stuffing probes, unauthenticated agent route detection, and rate-limit absence checks.
nixer/fraud/credential-stuffing
Auth Endpoint Accepted Breached Credentials
Login endpoint accepts well-known breached credential pairs without lockout.
nixer/fraud/no-rate-limiting
No Rate Limiting — DDoS / Cost-Exhaustion Risk
Agent endpoint accepts unlimited requests — no 429, no rate-limit headers.
Model Supply Chain
Pickle deserialization RCE detection, ML package typosquat analysis, HuggingFace trust checks, and CVE version audits.
nixer/model-supply-chain/pickle-rce
Pickle Deserialization RCE
torch.load() or pickle.load() without safety flags — RCE via malicious model file.
nixer/model-supply-chain/typosquat
ML Package Typosquat Candidate
Dependency name is 1-2 edits from a legitimate ML package — likely supply-chain attack.
nixer/model-supply-chain/langchain-serialization-injection
LangChain Serialization Injection — LangGrinch (CVE-2025-68664)
langchain-core dumps()/load() fails to escape lc keys — arbitrary object instantiation, secret exfiltration.
CI/CD Pipeline Scanner
GitHub Actions workflow analysis — pwn-requests, script injection, unpinned actions, and token permission audits.
nixer/cicd/pwn-request
pwn-request: pull_request_target + Attacker-Controlled Checkout
Workflow uses pull_request_target with checkout of PR head — attacker code runs with repo secrets.
nixer/cicd/script-injection
Script Injection via github.event.*
Attacker-controlled event data interpolated directly into shell run: blocks.
nixer/cicd/unpinned-action
Unpinned Third-Party GitHub Action
Third-party action pinned to a mutable tag — silent code execution on tag update.
nixer/cicd/broad-token-perms
Broad GITHUB_TOKEN Permissions
Workflow lacks a permissions: block — GITHUB_TOKEN defaults to write-all.
nixer/cicd/workflow-run-secrets
workflow_run Trigger Exposes Secrets to Fork Workflows
workflow_run-triggered workflow references secrets — fork PRs can reach them indirectly.
nixer/cicd/self-hosted-public
Self-Hosted Runner on pull_request Trigger
Self-hosted runner on a public repo pull_request workflow — fork PRs can execute code on your infrastructure.
nixer/cicd/secret-in-env-fork
Secret Exposed in Fork Pull Request Workflow
Repository secret passed to steps in a pull_request-triggered workflow — fork PRs may access it.
Run all 18 checks on your stack
Works on GitHub repos, live agent endpoints, and raw configs. No signup required.
npx nixer scan https://your-agent.example.com