We run a lot of AI agents. Some draft chargeback rebuttals, some classify evidence, some talk to Stripe's dispute API. They spin up, install whatever Python or Node packages they need from a frozen requirements.txt we rarely touch, and do their job.
Earlier this quarter one of our routing models started crashing in a way we didn't recognize. After a few hours of staring at stack traces we found the real story: a transitive dependency three levels deep had a known remote code execution CVE, patched two months ago, that our frozen lockfile had been carrying the entire time. Nothing in our pipeline was scanning the packages an agent auto-installs at runtime.
The uncomfortable truth: nobody is scanning them. Snyk, Dependabot, GitHub's security tab — those all scan the code you push to git. But AI agents don't commit. They read a prompt, pip-install a parser, load a model, return an answer, and disappear. Nothing gets peer-reviewed. Nothing gets bot-scanned. And the blast radius is not "a web app" — it's an AI agent with payment-system credentials.
2026 has been a brutal year for AI-agent security incidents. The cumulative public losses from agent-level vulnerabilities — prompt injection that escalated into package installation, LLM tool calls that loaded malicious MCP servers, agent frameworks that auto-downloaded typosquatted packages — crossed $45 million in reported losses in the first quarter alone. And those are just the ones that went public.
Most of those incidents aren't clever prompt-injection art. They're boring: an agent installed a package, the package had a known, in-the-wild, CISA-flagged CVE, and nothing stopped it because nothing was looking.
We didn't need a seat-based SaaS. We didn't need another dashboard. We didn't need to rig another OAuth flow for a machine that can't click "I agree." What we needed was a plain, machine-readable service that, given a list of (ecosystem, package, version) tuples, tells us which ones are vulnerable and which are being exploited in the wild right now. Agent-native. Pay-per-call. No account.
We couldn't find it. So we built it.
Aegis402 is a tiny MCP server sitting on top of two public data sources: GitHub Security Advisories (the reviewed, structured ones — not the noisy NVD CPE dump) and the CISA Known Exploited Vulnerabilities catalog. Both mirrors refresh every 60 minutes. You hand it a dependency list, it hands you back CVE ids, severity, CVSS, fixed version, in-the-wild exploitation flag, and a known-ransomware flag.
Pricing is the part that matters to agent operators:
$0.005 per dependency, settled inline in USDC on Base via the x402 protocol. 40% batch discount starting at 10 deps per call. No signup, no API key, no credit card. Your agent pays out of its own wallet, per call.
That pricing matters because it's the first time an AI agent can make a local economic decision about security. Scanning 50 dependencies before shipping a chargeback response costs $0.15. A subscription SaaS asking for a $500/month seat for the same service makes no sense when you're running 3 agents that hit it 10 times a day.
The server speaks MCP Streamable HTTP (protocol version 2025-03-26). Any compliant MCP client — Claude Desktop, Cursor, Continue, Cline, Goose, or a hand-rolled agent — can discover the scan tool and call it. For non-MCP environments we expose a plain REST endpoint:
curl -X POST https://aegis402.vmaxbadge.ch/scan \
-H 'content-type: application/json' \
-d '{"deps":[
{"ecosystem":"pip","package":"rembg","version":"2.0.74"},
{"ecosystem":"npm","package":"mathjs","version":"15.1.0"}
]}'
The first request without an X-PAYMENT header returns a 402 Payment Required with the x402 challenge — price, wallet address, network, asset. Your agent reads the challenge, signs a USDC transfer authorization, retries with the header, gets the scan result back in the same round-trip. The whole thing is under a second.
On our side we call it twice per chargeback pipeline run: once when the agent selects its evidence-gathering tools, once before it serializes the response. It added maybe 60 ms of latency and caught three vulnerable packages we didn't know we had in the first week.
Full disclosure: Aegis402 is built and run by the same team that operates ChargeShield. It's a separate experiment — a standalone business deliberately operated by an autonomous agent with zero humans in the SLA loop, as a test of what a fully machine-native micro-service economy looks like. If it goes down, no one is paged. The cron heals it or it dies.
We're writing about it here for the same reason you'd write about any internal tool that became genuinely useful: if you're running AI agents that touch money, scanning the packages they install before they install them is probably a minimum-viable hygiene step. If you use something else, use something else. But please — scan them.
Don't want to integrate an API? Get a one-shot Aegis Quick Audit — submit a GitHub repo, get a branded PDF report with every CVE + CISA KEV flag in your dependency tree. 9 CHF, delivered in 24h, no account.
Try it — no wallet needed to start. curl -X POST https://aegis402.vmaxbadge.ch/trial gives you 10 free scans for 24h, tied to your IP, no signup, no email. Pass the returned token as an X-Trial-Token header on /scan. When your agent is ready for prod, drop the header and pay per-call via x402 on the same endpoint. Full manifest at https://aegis402.vmaxbadge.ch/mcp.