AI Skill Hub 强烈推荐:开发机器安全卫士 是一款优质的MCP工具。AI 综合评分 8.2 分,在同类工具中表现稳健。如果你正在寻找可靠的MCP工具解决方案,这是一个值得深入了解的选择。
专为开发者设计的MCP安全扫描工具。可检测AI代理、MCP服务器、IDE扩展和可疑文件,帮助开发者全面了解本地环境中的工具和潜在风险,提升开发机器安全性。
开发机器安全卫士 是一款遵循 MCP(Model Context Protocol)标准协议的 AI 工具扩展。通过 MCP 协议,它可以让 Claude、Cursor 等主流 AI 客户端直接访问和操作外部工具、数据源和服务,实现 AI 能力的无缝扩展。无论是文件操作、数据库查询还是 API 调用,都可以通过自然语言在 AI 对话中直接触发,极大提升生产效率。
专为开发者设计的MCP安全扫描工具。可检测AI代理、MCP服务器、IDE扩展和可疑文件,帮助开发者全面了解本地环境中的工具和潜在风险,提升开发机器安全性。
开发机器安全卫士 是一款遵循 MCP(Model Context Protocol)标准协议的 AI 工具扩展。通过 MCP 协议,它可以让 Claude、Cursor 等主流 AI 客户端直接访问和操作外部工具、数据源和服务,实现 AI 能力的无缝扩展。无论是文件操作、数据库查询还是 API 调用,都可以通过自然语言在 AI 对话中直接触发,极大提升生产效率。
# 方式一:通过 Claude Code CLI 一键安装
claude skill install https://github.com/step-security/dev-machine-guard
# 方式二:手动配置 claude_desktop_config.json
{
"mcpServers": {
"--------": {
"command": "npx",
"args": ["-y", "dev-machine-guard"]
}
}
}
# 配置文件位置
# macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
# Windows: %APPDATA%/Claude/claude_desktop_config.json
# 安装后在 Claude 对话中直接使用 # 示例: 用户: 请帮我用 开发机器安全卫士 执行以下任务... Claude: [自动调用 开发机器安全卫士 MCP 工具处理请求] # 查看可用工具列表 # 在 Claude 中输入:"列出所有可用的 MCP 工具"
// claude_desktop_config.json 配置示例
{
"mcpServers": {
"________": {
"command": "npx",
"args": ["-y", "dev-machine-guard"],
"env": {
// "API_KEY": "your-api-key-here"
}
}
}
}
// 保存后重启 Claude Desktop 生效
<p align="center"> <img src="images/banner.png" alt="StepSecurity Dev Machine Guard — shield logo with terminal prompt" width="800"> </p>
<p align="center"> <img src="images/demo.gif" alt="StepSecurity Dev Machine Guard demo" width="800"> </p>
<p align="center"> <a href="https://github.com/step-security/dev-machine-guard/actions/workflows/tests.yml"><img src="https://github.com/step-security/dev-machine-guard/actions/workflows/tests.yml/badge.svg?branch=main" alt="Tests"></a> <a href="https://github.com/step-security/dev-machine-guard/actions/workflows/gosec.yml"><img src="https://github.com/step-security/dev-machine-guard/actions/workflows/gosec.yml/badge.svg?branch=main" alt="Gosec"></a> <a href="https://github.com/step-security/dev-machine-guard/actions/workflows/release.yml"><img src="https://github.com/step-security/dev-machine-guard/actions/workflows/release.yml/badge.svg" alt="Release"></a> <a href="https://goreportcard.com/report/github.com/step-security/dev-machine-guard"><img src="https://goreportcard.com/badge/github.com/step-security/dev-machine-guard" alt="Go Report Card"></a> <a href="https://pkg.go.dev/github.com/step-security/dev-machine-guard"><img src="https://pkg.go.dev/badge/github.com/step-security/dev-machine-guard.svg" alt="Go Reference"></a> <a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache%202.0-blue.svg" alt="License: Apache 2.0"></a> <a href="https://github.com/step-security/dev-machine-guard/releases"><img src="https://img.shields.io/github/v/release/step-security/dev-machine-guard?label=release&color=purple" alt="Latest release"></a> </p>
<p align="center"> <b>Scan your dev machine for AI agents, MCP servers, IDE extensions, suspicious files, and risky package-manager configs — in seconds.</b> </p>
Release assets are named stepsecurity-dev-machine-guard-<version>-<os> (for example, stepsecurity-dev-machine-guard-1.12.0-darwin). Rather than hardcoding a version, discover the latest asset dynamically so the command keeps working across releases.
macOS:
```bash
git clone https://github.com/step-security/dev-machine-guard.git
cd dev-machine-guard
make build
./stepsecurity-dev-machine-guard
Requires Go 1.26+. The binary has zero external dependencies.
./stepsecurity-dev-machine-guard install
```bash
./stepsecurity-dev-machine-guard install
./stepsecurity-dev-machine-guard uninstall ```
Open-source commitment: StepSecurity enterprise customers use the exact same binary from this repository. There is no separate closed-source version — all scanning capabilities are developed and maintained here in the open. Enterprise mode adds centralized infrastructure (dashboard, policy engine, alerting) on top of the same open-source scanning engine.
```bash
make build
make clean ```
The steps below install the binary directly and are intended for community users evaluating Dev Machine Guard on a single machine.
Enterprise customers should not install the binary manually. Deploy Dev Machine Guard across your fleet using the loader script through your MDM or EDR tooling. See the Installation Script documentation for the supported, auto-updating deployment flow.
stepsecurity-dev-machine-guard [COMMAND] [OPTIONS]
```bash
| Flag | Description | |||
|---|---|---|---|---|
--search-dirs DIR [DIR...] | Search DIRs instead of $HOME (replaces default; repeatable) | |||
--enable-npm-scan | Enable Node.js package scanning | |||
--disable-npm-scan | Disable Node.js package scanning | |||
--enable-brew-scan | Enable Homebrew package scanning | |||
--disable-brew-scan | Disable Homebrew package scanning | |||
--enable-python-scan | Enable Python package scanning | |||
--disable-python-scan | Disable Python package scanning | |||
--include-bundled-plugins | Include bundled/platform IDE plugins in output | |||
--log-level=LEVEL | Log level: error \ | warn \ | info \ | debug |
--verbose | Shortcut for --log-level=debug | |||
--color=WHEN | Color mode: auto \ | always \ | never (default: auto) | |
-v, --version | Show version | |||
-h, --help | Show help |
count=$(./stepsecurity-dev-machine-guard --json | jq '.summary.mcp_configs_count') [ "$count" -gt 0 ] && echo "MCP servers detected!" && exit 1
./stepsecurity-dev-machine-guard configure
./stepsecurity-dev-machine-guard configure show
Run configure to set up enterprise credentials and default search directories:
./stepsecurity-dev-machine-guard configure
This interactively prompts for all configurable settings:
| Setting | Description | Default |
|---|---|---|
| Customer ID | Your StepSecurity customer identifier | _(not set)_ |
| API Endpoint | StepSecurity backend URL | _(not set)_ |
| API Key | Authentication key for telemetry uploads | _(not set)_ |
| Scan Frequency | How often scheduled scans run (hours) | _(not set)_ |
| Search Directories | Comma-separated list of directories to scan | $HOME |
| Enable NPM Scan | Node.js package scanning | auto |
| Enable Brew Scan | Homebrew package scanning | auto |
| Enable Python Scan | Python package scanning | auto |
| Color Mode | Terminal color output | auto |
| Output Format | Default output format | pretty |
| HTML Output File | Default path for HTML reports | _(not set)_ |
| Log Level | Logging verbosity | error |
View current settings:
./stepsecurity-dev-machine-guard configure show
Configuration (~/.stepsecurity/config.json):
Customer ID: my-company
API Endpoint: https://api.stepsecurity.io
API Key: ***a1b2
Scan Frequency: 4 hours
Search Directories: $HOME, /Volumes/code
Enable NPM Scan: auto
Enable Brew Scan: auto
Enable Python Scan: auto
Color Mode: auto
Output Format: pretty
Log Level: error
Configuration is saved to ~/.stepsecurity/config.json with 0600 permissions (owner read/write only).
CLI flags always override config file values — this matches the shell script behavior. For example, if your config has output_format: json, running ./stepsecurity-dev-machine-guard --pretty uses pretty output. To clear a value during configuration, enter a single dash (-).
./stepsecurity-dev-machine-guard configure ```
In enterprise mode (send-telemetry, install), progress is always shown regardless of the log level — the output is captured as execution logs and sent to the backend for debugging.
Beyond inventorying what is installed, Dev Machine Guard inspects how each machine is configured to pull packages, and whether any files associated with known attacks are present.
Compromised packages most often reach a machine because that machine resolves directly from a public registry with no cooldown window against freshly published versions. Dev Machine Guard audits the package-manager configuration on each machine across every scope (project, user, and global) and resolves three things per package manager:
Configuration is read from .npmrc (npm), pnpm config, bunfig.toml (bun), .yarnrc / .yarnrc.yml (yarn classic and berry), and pip.conf (pip). In enterprise mode this rolls up into the Package Configs view in the dashboard, where you can spot machines that are unprotected or pointed at the wrong registry.
./stepsecurity-dev-machine-guard configure
./stepsecurity-dev-machine-guard --verbose --enable-npm-scan
./stepsecurity-dev-machine-guard --json | jq '.summary.ide_extensions_count'
make smoke
| Feature | Community (Free) | Enterprise |
|---|---|---|
| AI agent & tool inventory | Yes | Yes |
| IDE extension scanning | Yes | Yes |
| MCP server config audit | Yes | Yes |
| Pretty / JSON / HTML output | Yes | Yes |
| Package scanning (Node.js, Homebrew, Python) | Opt-in | Default on |
| System package scanning (Linux) | Yes | Yes |
| Package-manager config auditing | Yes | Yes |
| Suspicious file detection | Yes | Yes |
| Interactive configuration | Yes | Yes |
| Centralized dashboard | Yes | |
| Policy enforcement & alerting | Yes | |
| Scheduled scans (launchd / systemd / schtasks) | Yes | |
| Historical trends & reporting | Yes |
Enterprise mode requires a StepSecurity subscription. Start a 14-day free trial by installing the StepSecurity GitHub App.
Dev Machine Guard is not a replacement for dependency scanners, vulnerability databases, or endpoint security tools. It covers a different layer — the developer tooling surface — that these tools were never designed to inspect.
| Tool Category | What It Does Well | What It Misses |
|---|---|---|
**npm audit / yarn audit** | Flags known CVEs in declared dependencies | Has no visibility into IDEs, AI tools, MCP servers, or IDE extensions |
| **OWASP Dep-Check / Snyk / Socket** | Deep dependency vulnerability and supply-chain risk analysis | Does not scan the broader developer tooling layer (AI agents, IDE extensions, MCP configs) |
| **EDR / MDM (CrowdStrike, Jamf, Intune)** | Device posture, compliance, and malware detection | Zero visibility into developer-specific tooling like IDE extensions, MCP servers, or AI agent configurations |
Dev Machine Guard fills the gap by inventorying what is actually running in your developer environment. Deploy it alongside your existing security stack for complete coverage.
实用的开发环境安���工具,弥补MCP生态安全管理空白。活跃维护、可靠度高,值得推荐。
AI Skill Hub 为第三方内容聚合平台,本页面信息基于公开数据整理,不对工具功能和质量作任何法律背书。
建议在沙箱或测试环境中充分验证后,再部署至生产环境,并做好必要的安全评估。
✅ Apache 2.0 — 宽松开源协议,可商用,需保留版权声明和 NOTICE 文件,含专利授权条款。
总体来看,开发机器安全卫士 是一款质量优秀的MCP工具,在同类工具中具备一定竞争力。AI Skill Hub 将持续追踪其更新动态,建议收藏备用,结合自身场景选择合适时机引入使用。
| 原始名称 | dev-machine-guard |
| 原始描述 | 开源MCP工具:Scan your dev machine for AI agents, MCP servers, IDE extensions, and suspicious。⭐136 · Go |
| Topics | 安全扫描MCP工具开发环保威胁检测 |
| GitHub | https://github.com/step-security/dev-machine-guard |
| License | Apache-2.0 |
| 语言 | Go |
收录时间:2026-05-23 · 更新时间:2026-05-30 · License:Apache-2.0 · AI Skill Hub 不对第三方内容的准确性作法律背书。
选择 Agent 类型,复制安装指令后粘贴到对应客户端