Tencent’s Zhuque Lab released AI-Infra-Guard on June 30, an open-source security framework that includes the first publicly available scanner for auditing MCP servers and agent skill packages. The framework appeared on HuggingFace Daily Papers on July 6 and addresses a structural blind spot in AI agent security: existing red-teaming tools test whether language models produce harmful output, but leave the infrastructure, protocol, and supply-chain layers of agentic systems unaudited.

The Gap in Current Red-Teaming Tools

The AI red-teaming ecosystem before AI-Infra-Guard, including Microsoft’s PyRIT, NVIDIA’s Garak, and Promptfoo, targets what security researchers call the model layer: the direct interface between a user and the underlying language model. These tools test whether an LLM can be jailbroken or induced to produce harmful content through adversarial prompts.

That approach made sense when the threat model was a chatbot responding to text. It does not cover agents that browse websites, read files, call APIs through MCP servers, and execute code.

Raja Sekhar Rao Dheekonda, co-creator of Microsoft’s PyRIT and Counterfit projects, described the current state of the field in a May 2026 analysis published by Help Net Security as “a brute-force engineering exercise around library configuration rather than security and safety probing.” His critique identifies the core mismatch: the toolkit has grown larger while targeting the same narrow attack surface, leaving agent infrastructure unexamined.

OWASP formalized this gap in December 2025 when it published the Top 10 for Agentic Applications 2026 at Black Hat Europe. The framework identifies risk categories specific to autonomous AI systems, including Agent Goal Hijack, Tool Misuse and Exploitation, and Agentic Supply Chain Compromise, none of which model-layer red-teaming tools address.

How AI-Infra-Guard Works

The framework organizes testing around what Tencent calls “layer-paradigm matching,” the principle that each layer of an AI agent’s attack surface requires a different detection method.

The infrastructure layer uses deterministic rule matching across more than 75 AI components and 1,400+ vulnerability rules, according to the technical report. The engine identifies which AI component is present, extracts its version, and checks against its rule database.

The protocol and tool layer, covering MCP servers and agent skill packages, uses LLM-driven agentic auditing. This is the supply-chain scanner: it can check third-party agent skills for adversarial content, semantic tool-poisoning, and code integrity issues.

The agent behavior layer uses multi-turn black-box testing, and the model layer includes a jailbreak harness with 26+ attack operators across sixteen datasets.

Why MCP Security Matters Now

The timing reflects escalating real-world risk. The Model Context Protocol, which Anthropic introduced in 2024 and which OpenAI, Google DeepMind, and dozens of enterprise vendors have adopted as the de facto interface between AI agents and external tools, is now connective tissue for most production agent deployments.

An NSA advisory published in May 2026 documented CVE-2025-49596, a remote code execution flaw in MCP-Inspector, and described semantic tool-poisoning attacks as systemic rather than isolated. Security researchers confirmed in April 2025 that MCP carries multiple outstanding vulnerabilities, including prompt injection and tool-poisoning attacks that hijack agent behavior through ordinary tool interactions, as reported by TechTimes.

The Architecture Question

AI-Infra-Guard is open-sourced under a permissive license, which means enterprise security teams can extend it to cover their own MCP servers and skill registries. The framework’s thesis, that agent security is a multi-layer problem requiring different detection methods at each layer, provides a practical organizing principle for teams that are currently applying model-level testing to infrastructure-level problems.

Whether the 1,400+ vulnerability rules and the MCP scanner catch enough of the attack surface in practice remains an open question. But as the first publicly available tool that can audit MCP supply chains, it fills a gap that security teams have been building internal solutions to address.