The Shadow AI Problem
When employees configure MCP servers or install AI skills directly in their coding tools (Cursor, Claude Code, Claude Desktop / Cowork, VS Code, Codex, Hermes, Windsurf, Goose, Zed, OpenCode, Cline, Cline CLI, Gemini CLI, Antigravity, GitHub Copilot CLI, etc.), these integrations operate outside centralized observability and control. This creates a shadow IT problem for AI tooling that security teams must address. The Shadow page in the sidebar gives you a dashboard view of all shadow discovery metrics — scanned devices, managed vs. shadow server breakdowns, a Shadow vs Managed comparison chart, a Shadow Server Discoveries timeline, skill discovery timelines by risk level, and top repositories with shadow skills. A Connectors section shows the most common shadow servers, users with shadow servers, top servers to migrate, and which MCP clients are in use. A Skills section shows shadow skill discoveries over time, the most common shadow skills, users with shadow skills, and shadow skills broken down by client. Use it alongside Detect and Enforce for full visibility. Runlayer provides two complementary approaches to address shadow AI:Detect
Discover and inventory shadow MCP servers and skills via scheduled scans
Enforce
Block unmanaged MCP sources and policy-check local tool calls in real time
Security Risks
Shadow MCP Servers
Shadow MCP servers pose significant security risks:- Data exfiltration — Risky MCP servers can steal source code, credentials, API keys, and customer data
- Supply chain attacks — Compromised or trojanized MCP packages can inject risky behavior into otherwise legitimate tools
- Prompt injection — Shadow MCPs may contain tool poisoning attacks that manipulate AI behavior
- Lateral movement — MCPs with broad permissions can be exploited to access internal systems
- Compliance violations — Uncontrolled access to PII, PHI, or regulated data without audit trails
Shadow Skills
Skills are instruction files that extend AI coding assistants with specialized knowledge, workflows, and tool integrations — such as SKILL.md files. When these are installed outside organizational control, they become shadow skills. Shadow skills introduce distinct risks:- Prompt injection — Skill instructions can manipulate AI behavior, override safety guidelines, or inject malicious prompts
- Unauthorized automation — Skills can define workflows that automate actions beyond what an organization has approved
- Supply chain risk — Unvetted community skills may contain instructions that exfiltrate data or introduce vulnerabilities
Why This Matters for Security Teams
Unlike traditional shadow IT, shadow AI is particularly dangerous because:- AI amplifies access — A single MCP or skill can give AI assistants broad access to databases, APIs, and file systems
- Actions are automated — MCPs enable AI to take actions autonomously, not just read data
- No audit trail — Shadow MCPs and skills operate outside your logging and monitoring infrastructure
- Difficult to detect — MCP configurations and skill files are stored in user-space config files, not installed as traditional software
Choosing an Approach
| Feature | Detect | Enforce |
|---|---|---|
| Purpose | Discovery and inventory | Real-time control |
| When it runs | Scheduled scans via MDM | Continuous interception |
| What it does | Finds shadow servers and skills, classifies them | Blocks/allows unmanaged MCP sources and policy-checked local tool calls |
| Scope | MCP servers and skills | Hook-supported clients; local tool scanning requires full session scanning APIs + enabled hook client |
| Best for | Visibility, compliance audits | Active security enforcement |
- Deploy Detect to discover existing shadow servers and skills
- Deploy Enforce to block unmanaged MCP sources and policy-check local tool activity from supported hook clients
Related Resources
Re-analyzing Classifications
Refresh server and skill classifications after changes
Responding to Discoveries
Security team response framework
Troubleshooting
Common issues and solutions