Demo’ing/Testing the scans
Use this page to learn what you need to do to trigger different scans for testing or demo purposes.
- Hidden Characters Scan
- MCP Dependencies Scan
- Malicious Extensions Scan
- Domain Structure Detection Improvement Scan
Hidden Characters Scan
- Download the following file and decompress – File Download
- Open the html file
- Copy the contents via the button
- Create a new cursor rule and paste the contents (under the more structured text)
- Save the file
- If Kirin is on it should delete what you just pasted, and generate an alert
Hidden Characters Scan
- Download the following file and decompress
- Open the html file
- Copy the contents via the button
- Create a new cursor rule and paste the contents (under the more structured text)
- Save the file
- If Kirin is on it should delete what you just pasted, and generate an alert
MCP Dependencies Scan
To demo MCP Dependencies scan:
- Open mcp.json to configure MCP servers for cursor (File–> Preferences–> Cursor settings –> MCP –> New MCP Server –> (should open mcp.json file))
- Add some mcp server, that you would like to use (or scan) — it has to run with npm/npx or uv/uvx
-
- For example actual mcp server (that uses @latest version tag):
-
{
"awslabs.nova-canvas-mcp-server": {
"command": "uvx",
"args": [
"awslabs.nova-canvas-mcp-server@latest"
],
"env": {
"AWS_PROFILE": "your-aws-profile",
"AWS_REGION": "us-east-1",
"FASTMCP_LOG_LEVEL": "ERROR"
}
}
}- For example random python dependency (that’s actually not mcp server, but has vulnerabilities)
{
"test-mcp-server": {
"command": "uvx",
"args": [
"[email protected]"
],
"disabled": false,
"autoApprove": []
}
}- And example with node modules (again not actual mcp server)
"mcp-server": {
"command": "npx",
"args": [
"@modelcontextprotocol/sdk@latest"
],
"disabled": false,
"autoApprove": []
}- Save and trigger “scan now”.
Malicious Extensions Scan
Typo-squatting Detection
- Create a test extension with a malicious publisher name:
# Create test extension
rm -rf test-typo && mkdir test-typo && cd test-typo
echo '{"name":"test-extension","version":"1.0.0","publisher":"micr0soft","engines":{"vscode":"^1.60.0"}}' > package.json
vsce package --no-dependencies --allow-missing-repository
# Install it (run from test-typo directory)
cursor --install-extension test-extension-1.0.0.vsix
- Run Kirin scan – Should detect typo-squatting of “microsoft” (medium severity)
- Cleanup:
cursor --uninstall-extension micr0soft.test-extension
cd .. && rm -rf test-typo
More Examples to Test
Just change the “publisher” field:
- “micr0soft” → detects microsoft (0 instead of o)
- “microssoft” → detects microsoft (extra s)
- “githup” → detects github (p instead of b)
- “gooogle” → detects google (extra o)
- “micro-soft” → detects microsoft (hyphen removed)
Or create extension with trusted name + malicious publisher:
{
"name": "prettier-vscode",
"publisher": "malicious-pub",
...
}
Should detect typo-squatting of “esbenp.prettier-vscode”
What Gets Detected
✅ Publishers within 2 characters of trusted names
✅ Malicious character substitutions (l↔I↔1, o↔0, etc.)
✅ Extensions copying high-value extension names
❌ Trusted publishers (microsoft, github, google, esbenp, etc.)
Domain Structure Detection Improvement Scan
Suspicious Publishers (Should Detect)
Random characters (should be flagged):
cd test-domain
cat > package.json << 'EOF'
{"name":"test4","version":"1.0.0","publisher":"aaaabbbcccc","engines":{"vscode":"^1.60.0"}}
EOF
vsce package --no-dependencies --allow-missing-repository
cursor --install-extension test4-1.0.0.vsix
cd ..
High number ratio (should be flagged):
cd test-domain
cat > package.json << 'EOF'
{"name":"test5","version":"1.0.0","publisher":"test12345678","engines":{"vscode":"^1.60.0"}}
EOF
vsce package --no-dependencies --allow-missing-repository
cursor --install-extension test5-1.0.0.vsix
cd ..
Run Kirin scan – Should flag these as suspicious publisher patterns
Cleanup
cursor --uninstall-extension legitusername.test
cursor --uninstall-extension mycodetool.test2
cursor --uninstall-extension aaaabbbcccc.test4
cursor --uninstall-extension test12345678.test5
rm -rf test-domain