Monitor — Shadow AI
Discover and govern MCP servers, skills, and AI tools running on developer machines across your organization.
Overview
The Shadow AI monitor deploys a lightweight scan agent to developer machines. The agent periodically scans for MCP server configurations, AI coding tool skills, and AI agent installations, then reports findings back to Webrix Connect. Admins get a unified dashboard to view, search, and govern all discovered capabilities.
Scan Agent
The Webrix Scan Agent runs as a background service on macOS and Windows. It discovers:
- MCP Servers — stdio, SSE, and HTTP servers configured in Cursor, Claude Desktop, VS Code, Windsurf, and other AI coding tools
- Skills — Claude Code SKILL.md files, Cursor rules, and other AI skill definitions
- AI Agents — which AI coding tools are installed on each machine
Downloads
Download the latest version from the Shadow AI page in the Webrix dashboard: Connect → Setup Instructions. The dashboard provides:
| Platform | Files |
|---|---|
| macOS | .pkg installer + .mobileconfig profile (pre-filled for your org) |
| Windows x64 | .zip package + .reg registry policy (pre-filled for your org) |
macOS Installation
Option 1: MDM Deployment (Jamf, Mosyle, Kandji) — Recommended
- Download the
.pkginstaller and.mobileconfigprofile from the dashboard - Upload both to your MDM console
- Push to target machines
The profile contains your organization's connection details. No further configuration is needed on each machine.
Option 2: Manual Installation
- Download the
.pkgand.mobileconfigfrom the dashboard - Install the package:
sudo installer -pkg mcp-s-scan-agent-X.Y.Z.pkg -target /
-
Install the config profile — double-click the
.mobileconfigfile, then go to System Settings > Privacy & Security > Profiles and click Install. -
Start the service:
sudo launchctl load /Library/LaunchDaemons/com.mcp-s-scan.agent.plist
macOS Management Commands
# Check status
sudo launchctl list | grep mcp-s-scan
# View logs
tail -f /var/log/mcp-s-scan/agent-error.log
# Restart
sudo launchctl kickstart -k system/com.mcp-s-scan.agent
# Uninstall
sudo /usr/local/bin/mcp-s-scan-uninstall.sh
macOS Install Paths
| Path | Description |
|---|---|
/usr/local/bin/mcp-s-scan-agent | Agent binary |
/Applications/Webrix Menubar.app | Menu bar status app |
/Library/LaunchDaemons/com.mcp-s-scan.agent.plist | Launch daemon |
/Library/Managed Preferences/com.mcp-s-scan.agent.plist | MDM preferences (from .mobileconfig) |
/var/log/mcp-s-scan/ | Log files |
Windows Installation
Option 1: GPO / Intune Deployment — Recommended
- Download the
.zippackage and.regpolicy file from the dashboard - Import the
.regfile via GPO or deploy it with Intune - Deploy the
.zipand runinstall.ps1via your MDM
The registry policy contains your organization's connection details. The agent reads them automatically on startup.
Option 2: Manual Installation
- Download the
.zipand.regfile from the dashboard - Extract the zip for your architecture (amd64 or arm64)
- Double-click the
.regfile to import the registry policy - Open PowerShell as Administrator and run:
powershell -ExecutionPolicy Bypass -File install.ps1
- Start the agent:
Start-ScheduledTask -TaskName "MCP-S-Scan Agent"
Windows Management Commands
# Check status
Get-ScheduledTask -TaskName "MCP-S-Scan Agent" | Select-Object State
# View logs
Get-Content C:\ProgramData\mcp-s-scan\logs\agent.log -Tail 50
# Restart
Stop-ScheduledTask -TaskName "MCP-S-Scan Agent"
Start-ScheduledTask -TaskName "MCP-S-Scan Agent"
# Uninstall
powershell -ExecutionPolicy Bypass -File "C:\Program Files\MCP-S-Scan\uninstall.ps1"
Windows Install Paths
| Path | Description |
|---|---|
C:\Program Files\MCP-S-Scan\mcp-s-scan-agent.exe | Agent binary |
C:\Program Files\MCP-S-Scan\webrix-menubar.exe | System tray app |
C:\ProgramData\mcp-s-scan\logs\ | Log files |
HKLM\SOFTWARE\Policies\MCP-S-Scan | Registry policy (from .reg file) |
Configuration Reference
The agent reads its configuration from profiles — .mobileconfig on macOS, registry policy on Windows. The Webrix dashboard generates these pre-filled for your organization.
| Field | Type | Description |
|---|---|---|
serverUrl | string | Your Webrix Connect URL (e.g. https://connect.your-org.webrix.ai) |
authToken | string | Organization token in orgSlug:signature format |
intervalSeconds | int | Scan interval in seconds (default: 60) |
Webhook API
As an alternative to the scan agent, you can send device scan data directly via the webhook API. This is useful for custom integrations or environments where agent installation is not feasible.
Find your webhook URL and authorization header in the dashboard under Connect → Use Webhook.
curl -X POST "https://connect.your-org.webrix.ai/api/device-scan" \
-H "Authorization: your-org:your-token" \
-H "Content-Type: application/json" \
-d '{"platform":"darwin","scanDate":"...","deviceInfo":{...},"foundFiles":[...],"capabilities":[...]}'
Dashboard Features
Once devices start reporting, the Shadow AI dashboard shows:
- Devices — all connected machines with OS, user, and last scan time
- MCP Servers — every discovered MCP server grouped by AI agent, with risk status
- Skills — discovered AI skills and their governance status (managed, allowed, shadow)
- AI Agents — which coding tools are in use across your organization
- Governance stats — managed vs. shadow vs. allowed breakdown
- Policy checks — automated risk assessment for discovered capabilities
- Allow lists — approve known-good capabilities without adding them to the gateway
Tips
- Use the map view on the Devices tab to visualize relationships between devices, MCP servers, and skills.
- Enable policies in your organization settings to get automated risk scoring for all discovered capabilities.
- Add trusted capabilities to the allow list to mark them as approved without proxying through the gateway.