Question 1

What is AI agent security?

Accepted Answer

AI agent security focuses on detecting vulnerabilities in autonomous LLM-powered applications, including infinite loops, prompt injection, token bombing, and compliance gaps. Unlike traditional security tools, AI agent security analyzes agentic control flow and LLM-specific risks.

Question 2

What is MCP server security?

Accepted Answer

MCP (Model Context Protocol) server security involves protecting the servers that provide tools and context to AI agents. Key risks include tool poisoning, confused deputy attacks, and unauthorized data access. Inkog is the only scanner that audits MCP servers for security vulnerabilities before installation.

Question 3

What is a confused deputy attack in AI agents?

Accepted Answer

A confused deputy attack in AI agents occurs when an MCP server or tool is tricked into performing privileged actions on behalf of an attacker. The agent acts as the 'confused deputy' executing malicious requests it believes are legitimate. Static analysis can detect missing authorization checks that enable these attacks.

Question 4

How does Inkog detect prompt injection?

Accepted Answer

Inkog uses static analysis to trace data flow from user inputs to LLM prompts, identifying injection points where untrusted data enters prompt templates without proper sanitization. It detects both direct and indirect prompt injection patterns in LangChain, CrewAI, and other frameworks.

Question 5

What AI agent frameworks does Inkog support?

Accepted Answer

Inkog supports 15+ AI agent frameworks including LangChain, LangGraph, CrewAI, AutoGen, PydanticAI, Google ADK, OpenAI Agents, and visual builders like n8n, Flowise, and Langflow. One scanner works across all frameworks.

Question 6

How do I secure LangChain applications?

Accepted Answer

To secure LangChain applications: 1) Scan for serialization vulnerabilities (CVE-2025-68664), 2) Validate all user inputs before they reach prompts, 3) Implement rate limiting on LLM calls, 4) Use Inkog to detect infinite loops and unsafe tool configurations, 5) Enable human-in-the-loop for high-risk actions.

Question 7

Is Inkog compliant with EU AI Act?

Accepted Answer

Yes, Inkog generates compliance reports aligned with EU AI Act requirements including Article 14 (human oversight), Article 15 (accuracy and robustness), and Article 12 (record-keeping). It also maps findings to NIST AI RMF, ISO 42001, and OWASP LLM Top 10.

Question 8

What is token bombing in AI agents?

Accepted Answer

Token bombing occurs when an AI agent enters runaway API loops, consuming excessive tokens and causing unexpected costs. Common causes include infinite recursion, missing loop guards, and context window accumulation. Inkog detects these patterns through static analysis before deployment.

Question 9

What is static analysis for AI agents?

Accepted Answer

Static analysis for AI agents examines agent code and configuration without executing it, detecting vulnerabilities like prompt injection paths, infinite loops, missing authorization checks, and compliance gaps. Unlike runtime monitoring, static analysis catches issues before deployment in CI/CD pipelines.

Inkog Verify

Inkog Guard

MCP Server Security

What is MCP?

Security Risks in MCP Servers

1. Tool Poisoning

2. Confused Deputy Attacks

3. Data Exfiltration

4. Privilege Escalation

Key Security Considerations

Input Validation

Permission Scoping

Tool Description Audit

Action Logging

How Inkog Audits MCP Servers

Related Terms

Audit Your MCP Servers