QSAG-Core
Open-source security scanner purpose-built for AI agent systems and MCP deployments
Expert verdict
Ship
3-1The Panel's Take
QSAG-Core is a Python security scanner specifically designed for the OWASP Top 10 for Agentic Applications 2026 threat model. It provides three core detection capabilities: MCP tool poisoning (26 malicious patterns across 7 categories), prompt injection (28+ attack patterns including goal hijacking, jailbreak attempts, and memory poisoning), and ghost agent detection for unauthorized API key usage. It runs as pure pattern matching — no ML, no cloud dependency — and can be integrated as a pre-execution guard in any Python-based agent pipeline. Released April 10, 2026 by the Neoxyber team, QSAG-Core fills a real operational gap as MCP-based agent deployments proliferate. While Microsoft's Agent Governance Toolkit addresses similar territory, it's heavyweight and enterprise-focused. QSAG-Core is a pip install and a few lines of code — the security-focused indie alternative that fits into a CI/CD pipeline or an existing agent framework without an enterprise contract. The threat model it addresses is timely. As MCP becomes the de facto standard for tool-calling in AI agents, malicious MCP servers and prompt injection via tool outputs are becoming documented attack vectors. Having a lightweight, open-source scanner that specifically targets these patterns is exactly what the community has been building toward. MIT licensed, 24 commits in its first day.
Share this verdict
QSAG-Core verdict: SHIP 🚀 3 ships · 1 skip from the expert panel Full review: shiporskip.io/tool/qsag-core-mcp-tool-poisoning-prompt-injection-agent-security-scanner-2026
Weekly AI Tool Verdicts
Get the next verdict in your inbox
7 critics review a new AI tool every day. Weekly digest — free.
Compare QSAG-Core with Others
Looking for QSAG-Core alternatives?
Compare QSAG-Core with every other Security tool reviewed by our panel.
See all Security alternativesEmbed this verdict
Tool makers can add a live ShipOrSkip badge to their site. Badge loads track impressions; clicks route back to this review.
<a href="https://shiporskip.io/api/badge-click/qsag-core-mcp-tool-poisoning-prompt-injection-agent-security-scanner-2026" target="_blank" rel="noopener"><img src="https://shiporskip.io/api/badge/qsag-core-mcp-tool-poisoning-prompt-injection-agent-security-scanner-2026" alt="QSAG-Core Ship verdict on ShipOrSkip" width="360" height="90" /></a>[](https://shiporskip.io/api/badge-click/qsag-core-mcp-tool-poisoning-prompt-injection-agent-security-scanner-2026)<iframe src="https://shiporskip.io/embed/qsag-core-mcp-tool-poisoning-prompt-injection-agent-security-scanner-2026" title="QSAG-Core ShipOrSkip verdict" width="360" height="260" style="border:0;border-radius:16px;max-width:100%;" loading="lazy"></iframe>The reviews
“I've been manually reviewing MCP tool schemas before deploying them — QSAG-Core automates that. 26 MCP poisoning patterns and 28 prompt injection patterns in a single pip install is a no-brainer to add to any agent pipeline's security layer.”
“Pattern matching is a starting point, not a solution. Sophisticated prompt injection and MCP poisoning attacks are designed specifically to evade signature-based detection. QSAG-Core will catch known-bad patterns, but a determined attacker will trivially bypass it. This is necessary but not sufficient security.”
“Every major software ecosystem eventually got linters, scanners, and static analysis tools. QSAG-Core is the beginning of that toolchain for AI agents. The OWASP Agentic AI threat model it implements will become the industry baseline. Early adopters of agent-specific security tooling will be ahead of the curve when regulations arrive.”
“Non-technical teams building AI-powered tools with MCP have no idea what tool poisoning even is. QSAG-Core gives developers a way to add a meaningful security layer that they can explain to stakeholders without a security engineering background.”