Back to Labs
Best Practices
Apr 10, 20267 min read

Building Secure AI Agents with Claude Code and the Inkog MCP

A walkthrough of the dev-flow security loop: build an agent in Claude Code, scan it with the Inkog MCP, explain and fix findings in the same conversation.

IT
Inkog TeamSecurity Research
Share:

Most AI agent security tools run after the code is written — a scan in CI, a SARIF upload, a report emailed to the security team next week. By then the architectural decisions are baked in, the shortcuts are everywhere, and fixing a finding means ripping up code that already shipped.

We think security should live in the same conversation where the code is being written. That's the idea behind the Inkog MCP server: when you build an agent with Claude Code, Cursor, or Claude Desktop, Inkog becomes part of the conversation. You ask Claude to build something. Claude writes it. Inkog checks it. Claude fixes what Inkog finds. You ship.

This post walks through a real session — a developer building a CrewAI research agent in Claude Code — showing what that dev-flow loop actually feels like.

The 60-second install

Inkog's MCP server ships as an npm package and runs via npx. In Claude Code you add a single line to .mcp.json:

json
{
  "mcpServers": {
    "inkog": {
      "command": "npx",
      "args": ["-y", "@inkog-io/mcp"],
      "env": { "INKOG_API_KEY": "sk_live_..." }
    }
  }
}

Restart Claude Code. That's it. Inkog's 10 tools — inkog_scan, inkog_explain_finding, inkog_verify_governance, inkog_audit_mcp_server, inkog_audit_a2a, inkog_compliance_report, and more — are now available to Claude as native tools.

The free tier is 5 scans/month with no credit card. Enough to try the loop end-to-end on a real project.

The dev-flow loop

Here's the pattern we want every agent developer to fall into:

┌─────────────────────────────────────────────────────────┐
│                                                         │
│   1. Ask Claude to build a piece of agent logic        │
│                        │                                │
│                        ▼                                │
│   2. Claude writes the code                            │
│                        │                                │
│                        ▼                                │
│   3. Ask Claude to scan it with Inkog                  │
│                        │                                │
│                        ▼                                │
│   4. Inkog returns findings                            │
│                        │                                │
│                        ▼                                │
│   5. Claude explains each finding and proposes fixes   │
│                        │                                │
│                        ▼                                │
│   6. You approve. Claude applies the fixes.            │
│                        │                                │
│                        ▼                                │
│   7. Re-scan. Confirm clean.                           │
│                        │                                │
└─────────────────────────────────────────────────────────┘

No context switch. No leaving the IDE. No "I'll get to the security review later." The loop is tight enough that fixing a finding feels the same as fixing a typo — it's part of writing the code.

A real session: building a research agent

Let's walk through it. The developer wants a CrewAI agent that takes a research query, searches the web, summarizes results, and writes them to a markdown file.

Step 1 — Ask Claude to build it

Developer: Build me a CrewAI research agent with two agents — a web searcher and a summarizer. It should take a query as input and write the summary to research.md.

Claude writes ~80 lines of Python. A Researcher agent with a SerperDevTool, a Writer agent that composes markdown, and a Crew that glues them together. It compiles. It runs. It feels done.

Step 2 — Ask Claude to scan it

Developer: Scan this with Inkog and tell me what it finds.

Claude invokes inkog_scan on the working directory. Inkog runs the same analysis pipeline as the CLI — secrets detection, the Universal IR, framework adapters, IR rule engine — and returns a JSON payload. In the conversation, the findings look like this:

CRITICAL (1)
  hardcoded_api_key     research_agent.py:3
    SERPER_API_KEY hardcoded as string literal

HIGH (2)
  missing_human_oversight  research_agent.py:42
    Writer agent writes to filesystem without approval

  output_validation_failure  research_agent.py:51
    LLM output written directly to research.md without validation

MEDIUM (1)
  missing_rate_limit  research_agent.py:28
    Researcher tool calls SerperDev with no rate limiter

Step 3 — Ask for an explanation

Developer: Explain the missing_human_oversight one in plain English.

Claude invokes inkog_explain_finding with the finding ID. The response describes why the pattern is risky in a multi-agent setting: the Writer agent produces content from untrusted LLM output and commits it to disk — an attacker who can influence the research query can influence what lands in research.md. EU AI Act Article 14 requires human oversight for agent actions with real-world effects; writing to the filesystem qualifies.

The developer hadn't thought about this. In the old flow, they would have shipped, and maybe a security reviewer would have caught it three weeks later. In the dev-flow loop, it takes 30 seconds.

Step 4 — Ask for fixes

Developer: Fix all four findings.

Claude proposes:

  1. CRITICAL — secret: Move SERPER_API_KEY to os.environ. Add .env.example. Update the SerperDevTool() call.
  2. HIGH — oversight: Add an approve_write callback that prints the generated markdown and waits for [y/N] before calling Path.write_text().
  3. HIGH — validation: Add a Pydantic model ResearchSummary and parse the LLM output through it before writing. Reject outputs that don't match the schema.
  4. MEDIUM — rate limit: Wrap SerperDevTool with a simple semaphore + time.sleep(1) between calls.

The developer reviews each patch in the Claude Code diff view. Approves. Claude applies.

Step 5 — Re-scan

Developer: Re-scan.

✓ No findings. 0 critical, 0 high, 0 medium, 0 low.

Total time from "build me an agent" to "scanned clean": about 8 minutes.

Two moats nobody else has

The dev-flow loop is nice. But it wouldn't matter if Inkog only caught the same patterns every other static analyzer catches. Two tools set Inkog apart — and both are unique to the MCP surface.

inkog_verify_governance: AGENTS.md validation

AGENTS.md is the emerging standard for declaring what an agent can do, who can approve what, and what its risk tier is. It's a governance manifest — but a manifest is only useful if it matches reality.

inkog_verify_governance parses the agent's AGENTS.md and cross-checks every claim against the actual code:

  • Does the AGENTS.md say "no filesystem writes" while the code calls open(path, 'w')?
  • Does it claim "requires human approval for external API calls" while the code runs requests.post() with no callback?
  • Does it declare an EU AI Act risk tier that doesn't match the observed capability surface?

Ask Claude "Does this agent match its AGENTS.md?" and you get a concrete, line-level answer. No competitor has this. We haven't found a single static analyzer, policy engine, or LLM security tool that verifies governance manifests against source.

inkog_audit_a2a: multi-agent delegation auditing

Multi-agent systems have a trust problem. When Agent A delegates to Agent B, who validates the task description? Who signs the message? Who checks Agent B's return value? In the current generation of frameworks, nobody does — and we covered the consequences in our CrewAI authentication post.

inkog_audit_a2a walks the agent-to-agent communication graph and reports:

  • Unsigned delegation messages (CWE-345)
  • Missing authorization checks at handoff boundaries
  • Delegation loops with no termination guard
  • Shared-memory writes with no access control
  • Cross-agent data flow that bypasses validation

If you're building anything non-trivial with CrewAI, LangGraph multi-agent, or AutoGen, this is the tool to run before you ship.

Recommended prompts to keep in your back pocket

These are the prompts that make the dev-flow loop feel natural. Copy them into a snippet or a CLAUDE.md:

  • "Scan the current directory with Inkog and show me any CRITICAL or HIGH findings."
  • "Explain the top finding in plain English. What's the risk, and how do I fix it?"
  • "Verify my AGENTS.md against the code. Does what I declared match what the agent actually does?"
  • "Audit the agent-to-agent delegation in this crew. Any unsigned handoffs?"
  • "Run a compliance report and map the findings to EU AI Act Articles 12, 14, and 15."
  • "Audit the MCP servers I'm integrating with. Any tool poisoning or excessive capabilities?"

Pin these in the project's CLAUDE.md and every contributor gets the same security co-pilot for free.

Why this matters

AI agent security tools are useful. AI agent security embedded in the development conversation is a category shift. It changes the question from "did we remember to run the scan?" to "does the code pass the scan before it gets committed?" That's a much easier question to answer — because the agent you're building with is the agent that's checking your work.

Install the MCP server, connect it to Claude Code, and try the loop end-to-end. The free tier is enough. If it doesn't change how you think about agent development, ping us — we want to hear why.


Get started: