As AI agents become more powerful, their plugin ecosystems become attractive targets for malicious actors. Vexscan is a security scanner that vets AI agent extensions before they can cause harm.
Built in Rust for speed and reliability, Vexscan analyzes plugins, skills, and MCP (Model Context Protocol) servers across multiple detection layers. It catches threats that traditional scanners miss—from obvious code execution patterns to deeply obfuscated payloads hidden behind multiple encoding layers.
Entropy detection — Flags suspiciously random strings that may hide encoded payloads
Dependency scanning — Checks npm packages against vulnerability databases
Integration Options
Vexscan fits into multiple workflows:
Claude Code plugin — Automatic scanning on session start with AI-powered analysis
OpenClaw plugin — Security scanning for OpenClaw, the open-source personal AI assistant that runs locally across chat platforms
CLI tool — Standalone scanner for manual vetting
CI/CD pipelines — GitHub Actions integration with SARIF output for security dashboards
Watch mode — Real-time monitoring of plugin directories
Why It Matters
The AI agent ecosystem is growing rapidly, with thousands of community-contributed plugins. A single malicious plugin can steal credentials, exfiltrate data, or compromise entire development environments. Vexscan provides a security gate that catches threats before installation, helping developers adopt plugins with confidence.
Cross-platform support covers macOS (Intel and Apple Silicon), Linux, and Windows. Output formats include CLI reports, JSON for automation, SARIF for GitHub Security, and Markdown for documentation.
Related Projects
Claude Mneme – Persistent memory plugin for Claude Code that Vexscan can scan for security
Claude Simple Status – Statusline plugin for Claude Code showing model and quota usage
TokenLean – CLI toolkit for token-efficient code analysis
