CCM
/MCP
SkillsMCPMarketplacesDigestToolsAdvertise

This week in Claude

Every Monday: Claude Code, Agent SDK, MCP, and the Anthropic platform moves worth your time.

Skills by Category
Frontend DevelopmentBackend & APIsTesting & QASecurityDevOps & CI/CDGit & Pull RequestsDocumentationCode Review & QualityAI & Agent BuildingSkill Development
MCP Servers by Category
Sales & MarketingWeb & Browser AutomationDatabasesAI & LLM ToolsCloud & InfrastructureCommunication & MessagingDeveloper ToolsDesign & CreativeDocuments & KnowledgeSearch & Web Crawling
Marketplaces by Category
AI Agents & OrchestrationLLM IntegrationDevelopment ToolsFrontend & UIBackend & APIsDatabasesTesting & Code QualityDevOps & CloudSecurity & ComplianceGit & Version Control

Claude Code Marketplaces

Discover Claude Code plugins, extensions, and tools. Automatically updated directory of Anthropic Claude AI marketplaces with development tools, productivity plugins, and integrations.

Resources

  • Browse Skills
  • Browse MCP Servers
  • Browse Marketplaces
  • Plugins Reference

Community

  • About
  • Tools
  • Feedback
  • Privacy Policy
  • Advertise

Built for the Claude Code community with Claude Code by @mertduzgun

Independent project, not affiliated with Anthropic

agent-bom

msaad00/agent-bom
2236 toolsauthSTDIOregistry active
Summary

If you're running AI agents in production or building on MCP, this scanner gives you the blast radius view you actually need. It inventories agents, MCP servers, tools, packages, and credential references, then maps vulnerabilities from OSV and GHSA through the dependency graph to show you which agents can reach which exposed attack paths. You get CLI output for CI gates, MCP tools for agent driven security queries, and a self hosted dashboard that visualizes the full mesh. The quickstart command seeds demo data so you can see graph backed findings before pointing it at your own stack. Useful when you need to answer "what breaks if this package is compromised" or enforce pre install guards across a fleet.

CodeRabbit
CodeRabbit
AI writes the code. CodeRabbit catches the slop.
Try For Free →
AppSignal
AppSignal
Monitor with ease. Code with confidence.
Start Free Trial →
AI notepad for back-to-back meetings
AI notepad for back-to-back meetings
Notes, actions and memory. Without a meeting bot. First month 100% off.
Download for free →
Keep your Mac awake
Keep your Mac awake
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Email for Agents: Free tier availableEmail for Agents: Free tier available
Email for Agents: Free tier available
Give your AI agent a complete email layer—sending, inbound inboxes, and sandbox testing.
Get 4K emails/month free →
Context.devContext.dev
Context.dev
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
CodeScene MCP ServerCodeScene MCP Server
CodeScene MCP Server
Your agent targets a perfect 10 Code Health score. Deterministic. Every commit.
Try For Free →
Make your agent a DeFi expert
Make your agent a DeFi expert
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
CodeRabbit
CodeRabbit
AI writes the code. CodeRabbit catches the slop.
Try For Free →
AppSignal
AppSignal
Monitor with ease. Code with confidence.
Start Free Trial →
AI notepad for back-to-back meetings
AI notepad for back-to-back meetings
Notes, actions and memory. Without a meeting bot. First month 100% off.
Download for free →
Keep your Mac awake
Keep your Mac awake
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Email for Agents: Free tier availableEmail for Agents: Free tier available
Email for Agents: Free tier available
Give your AI agent a complete email layer—sending, inbound inboxes, and sandbox testing.
Get 4K emails/month free →
Context.devContext.dev
Context.dev
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
CodeScene MCP ServerCodeScene MCP Server
CodeScene MCP Server
Your agent targets a perfect 10 Code Health score. Deterministic. Every commit.
Try For Free →
Make your agent a DeFi expert
Make your agent a DeFi expert
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →

Tools

Public tool metadata for what this MCP can expose to an agent.

36 tools
scanRun a full AI supply chain security scan. Discovers local MCP configurations (Claude Desktop, Cursor, Windsurf, VS Code Copilot, OpenClaw, etc.), extracts package dependencies, queries OSV.dev for CVEs, assesses config security (credential exposure, tool access), computes blas...13 params

Run a full AI supply chain security scan. Discovers local MCP configurations (Claude Desktop, Cursor, Windsurf, VS Code Copilot, OpenClaw, etc.), extracts package dependencies, queries OSV.dev for CVEs, assesses config security (credential exposure, tool access), computes blas...

Parameters* required
imagevalue
Docker image to scan (e.g. 'nginx:1.25', 'ghcr.io/org/app:v1').
enrichboolean
Enable NVD CVSS, EPSS probability, and CISA KEV enrichment.default: false
policyvalue
Policy object to evaluate alongside scan results, e.g. {"rules": [{"id": "no-critical", "severity_gte": "critical", "action": "fail"}]}.
sbom_pathvalue
Path to existing CycloneDX or SPDX JSON SBOM file to ingest.
scorecardboolean
Enrich packages with OpenSSF Scorecard scores (requires resolvable GitHub repos).default: false
db_sourcesvalue
Comma-separated DB sources to sync before scanning (e.g. 'nvd,ghsa,osv,epss,kev').
transitiveboolean
Resolve transitive dependencies for npx/uvx packages.default: false
config_pathvalue
Path to MCP client config directory. Auto-discovers all if omitted.
fail_severityvalue
Return failure status if vulns at this severity or higher: critical, high, medium, low.
output_formatstring
Output format: 'json' (default), 'sarif', 'cyclonedx', 'spdx', 'junit', 'csv', or 'markdown'.default: json
warn_severityvalue
Return warning status (gate_status=warn, exit 0) when vulns at this severity or higher exist. Use with fail_severity for two-tier CI gates, e.g. warn_severity='medium', fail_severity='critical'.
auto_update_dbboolean
Auto-refresh local vuln DB if stale (>7 days) before scanning.default: true
verify_integrityboolean
Verify package SHA-256/SRI hashes and SLSA provenance against registries.default: false
checkCheck a specific package for known CVEs before installing. Queries OSV.dev for vulnerabilities in the given package. Use this before installing an MCP server or dependency to verify it is safe. Args: package: Package name with optional version, e.g. "express@4.18.2", "@modelco...2 params

Check a specific package for known CVEs before installing. Queries OSV.dev for vulnerabilities in the given package. Use this before installing an MCP server or dependency to verify it is safe. Args: package: Package name with optional version, e.g. "express@4.18.2", "@modelco...

Parameters* required
packagestring
Package name with optional version, e.g. 'express@4.18.2', '@modelcontextprotocol/server-filesystem@2025.1.14', or 'requests' (resolves @latest).
ecosystemstring
Package ecosystem: 'npm', 'pypi', 'go', 'cargo', 'maven', 'nuget', 'rubygems', 'composer', 'swift', 'pub', 'hex', 'conda', 'deb', 'apk', or 'rpm'.default: npm
blast_radiusLook up the blast radius of a specific CVE across your AI agent setup. Scans local MCP configurations, finds the specified CVE, and returns the full attack chain: which packages are affected, which MCP servers use those packages, which agents connect to those servers, and what...1 params

Look up the blast radius of a specific CVE across your AI agent setup. Scans local MCP configurations, finds the specified CVE, and returns the full attack chain: which packages are affected, which MCP servers use those packages, which agents connect to those servers, and what...

Parameters* required
cve_idstring
CVE identifier to look up, e.g. 'CVE-2024-1234' or 'GHSA-xxxx'.
policy_checkEvaluate a security policy against current scan results. Runs a scan, then evaluates the provided policy rules against the findings. Policies can gate on severity thresholds, CISA KEV status, AI risk flags, credential exposure, and denied packages. Args: policy_json: JSON stri...1 params

Evaluate a security policy against current scan results. Runs a scan, then evaluates the provided policy rules against the findings. Policies can gate on severity thresholds, CISA KEV status, AI risk flags, credential exposure, and denied packages. Args: policy_json: JSON stri...

Parameters* required
policy_jsonstring
JSON string containing policy rules, e.g. {"rules": [{"id": "no-critical", "severity_gte": "critical", "action": "fail"}]}.
registry_lookupQuery the agent-bom MCP server threat intelligence registry. Look up risk level, known tools, credential requirements, and verification status for known MCP servers. The registry contains 109+ servers with security metadata. Args: server_name: MCP server name to look up (e.g....2 params

Query the agent-bom MCP server threat intelligence registry. Look up risk level, known tools, credential requirements, and verification status for known MCP servers. The registry contains 109+ servers with security metadata. Args: server_name: MCP server name to look up (e.g....

Parameters* required
server_namevalue
MCP server name to look up, e.g. 'filesystem', '@modelcontextprotocol/server-github'.
package_namevalue
Package name to search for, e.g. 'mcp-server-sqlite'. At least one of server_name or package_name is required.
generate_sbomGenerate a Software Bill of Materials (SBOM) for your AI agent setup. Discovers AI agents and MCP servers, extracts all package dependencies, and generates a standards-compliant SBOM. Args: format: SBOM format — "cyclonedx" (CycloneDX 1.6) or "spdx" (SPDX 3.0). config_path: Pa...2 params

Generate a Software Bill of Materials (SBOM) for your AI agent setup. Discovers AI agents and MCP servers, extracts all package dependencies, and generates a standards-compliant SBOM. Args: format: SBOM format — "cyclonedx" (CycloneDX 1.6) or "spdx" (SPDX 3.0). config_path: Pa...

Parameters* required
formatstring
SBOM format: 'cyclonedx' (CycloneDX 1.6) or 'spdx' (SPDX 3.0).default: cyclonedx
config_pathvalue
Path to MCP client config directory. Auto-discovers all if omitted.
complianceGet OWASP LLM Top 10 / OWASP MCP Top 10 / MITRE ATLAS / NIST AI RMF compliance posture. Scans local MCP configurations, maps findings to 47 security controls across four AI security frameworks, and returns per-control pass/warning/fail status with an overall compliance score....2 params

Get OWASP LLM Top 10 / OWASP MCP Top 10 / MITRE ATLAS / NIST AI RMF compliance posture. Scans local MCP configurations, maps findings to 47 security controls across four AI security frameworks, and returns per-control pass/warning/fail status with an overall compliance score....

Parameters* required
imagevalue
Docker image to scan, e.g. 'nginx:1.25'.
config_pathvalue
Path to MCP client config directory. Auto-discovers all if omitted.
remediateGenerate a remediation plan for vulnerabilities in your AI agent setup. Scans for vulnerabilities, then generates actionable fix commands for each affected package (npm install, pip install), credential scope reduction guidance, and reports on unfixable vulnerabilities. Args:...2 params

Generate a remediation plan for vulnerabilities in your AI agent setup. Scans for vulnerabilities, then generates actionable fix commands for each affected package (npm install, pip install), credential scope reduction guidance, and reports on unfixable vulnerabilities. Args:...

Parameters* required
imagevalue
Docker image to scan, e.g. 'nginx:1.25'.
config_pathvalue
Path to MCP client config directory. Auto-discovers all if omitted.
skill_scanScan skill and instruction files for trust, findings, and provenance. Discovers supported files such as `CLAUDE.md`, `AGENTS.md`, `.cursorrules`, and `skills/*.md`, then parses referenced packages, MCP servers, credential env vars, audit findings, and trust verdicts.1 params

Scan skill and instruction files for trust, findings, and provenance. Discovers supported files such as `CLAUDE.md`, `AGENTS.md`, `.cursorrules`, and `skills/*.md`, then parses referenced packages, MCP servers, credential env vars, audit findings, and trust verdicts.

Parameters* required
pathstring
Path to a skill/instruction file or directory to scan.default: .
skill_verifyVerify Sigstore provenance for skill and instruction files.1 params

Verify Sigstore provenance for skill and instruction files.

Parameters* required
pathstring
Path to a skill/instruction file or directory to verify.default: .
skill_trustAssess the trust level of a SKILL.md file using ClawHub-style categories. Parses a SKILL.md file, runs security audit checks, then evaluates trust across 5 categories: Purpose & Capability, Instruction Scope, Install Mechanism, Credentials, and Persistence & Privilege. Returns...1 params

Assess the trust level of a SKILL.md file using ClawHub-style categories. Parses a SKILL.md file, runs security audit checks, then evaluates trust across 5 categories: Purpose & Capability, Instruction Scope, Install Mechanism, Credentials, and Persistence & Privilege. Returns...

Parameters* required
skill_pathstring
Path to a SKILL.md file (or any skill/instruction file) to assess.
verifyVerify package integrity and SLSA provenance against registries. Checks SHA-256/SRI hashes against npm/PyPI registries and looks up SLSA build provenance attestations to confirm the package was built from its claimed source repository. Returns: JSON with integrity verification...2 params

Verify package integrity and SLSA provenance against registries. Checks SHA-256/SRI hashes against npm/PyPI registries and looks up SLSA build provenance attestations to confirm the package was built from its claimed source repository. Returns: JSON with integrity verification...

Parameters* required
packagestring
Package name with optional version, e.g. 'express@4.18.2' or 'requests==2.31.0'.
ecosystemstring
Package ecosystem: 'npm' or 'pypi'.default: npm
whereShow all MCP discovery paths and which config files exist. Lists every known MCP client config path per platform, indicating which files are present on the current system. Useful for debugging discovery issues or understanding where MCP configs live. Returns: JSON with per-cli...

Show all MCP discovery paths and which config files exist. Lists every known MCP client config path per platform, indicating which files are present on the current system. Useful for debugging discovery issues or understanding where MCP configs live. Returns: JSON with per-cli...

No parameter schema in public metadata yet.

inventoryList all discovered MCP configurations and servers without CVE scanning. Performs fast discovery and package extraction only — no vulnerability scanning. Use this for a quick inventory of configs, servers, and packages. Returns: JSON with discovered agents, their MCP servers,...1 params

List all discovered MCP configurations and servers without CVE scanning. Performs fast discovery and package extraction only — no vulnerability scanning. Use this for a quick inventory of configs, servers, and packages. Returns: JSON with discovered agents, their MCP servers,...

Parameters* required
config_pathvalue
Path to MCP client config directory. Auto-discovers all if omitted.
tool_risk_assessmentScore live-introspected MCP tool capabilities and server risk. Uses runtime `tools/list` data to classify tool capabilities (READ/WRITE/EXECUTE/NETWORK/etc.) and compute a per-server risk profile. Returns: JSON with per-server tool profiles, capability counts, dangerous combin...2 params

Score live-introspected MCP tool capabilities and server risk. Uses runtime `tools/list` data to classify tool capabilities (READ/WRITE/EXECUTE/NETWORK/etc.) and compute a per-server risk profile. Returns: JSON with per-server tool profiles, capability counts, dangerous combin...

Parameters* required
timeoutnumber
Per-server introspection timeout in seconds.default: 10
config_pathvalue
Path to MCP client config directory. Auto-discovers all if omitted.
diffCompare a fresh scan against a baseline to find new and resolved vulns. Runs a new scan, then diffs it against the provided baseline (or the latest saved report). Shows new vulnerabilities, resolved ones, and changes in the package inventory. Returns: JSON with new findings, r...1 params

Compare a fresh scan against a baseline to find new and resolved vulns. Runs a new scan, then diffs it against the provided baseline (or the latest saved report). Shows new vulnerabilities, resolved ones, and changes in the package inventory. Returns: JSON with new findings, r...

Parameters* required
baselinevalue
Baseline report JSON object. If omitted, uses the latest saved report from history.
marketplace_checkPre-install trust check for an MCP server package. Queries the package registry (npm or PyPI) for metadata and cross-references against the agent-bom MCP threat intelligence registry. Returns trust signals including download count, CVE status, and registry verification. Args:...2 params

Pre-install trust check for an MCP server package. Queries the package registry (npm or PyPI) for metadata and cross-references against the agent-bom MCP threat intelligence registry. Returns trust signals including download count, CVE status, and registry verification. Args:...

Parameters* required
packagestring
Package name, e.g. 'express', 'langchain'.
ecosystemstring
Package ecosystem: 'npm' or 'pypi'.default: npm
code_scanRun SAST (Static Application Security Testing) on source code via Semgrep. Scans for security flaws: SQL injection, XSS, command injection, hardcoded credentials, insecure deserialization, path traversal, etc. Returns findings with CWE classifications and severity levels. Requ...2 params

Run SAST (Static Application Security Testing) on source code via Semgrep. Scans for security flaws: SQL injection, XSS, command injection, hardcoded credentials, insecure deserialization, path traversal, etc. Returns findings with CWE classifications and severity levels. Requ...

Parameters* required
pathstring
Path to source code directory to scan.
configstring
Semgrep config. 'auto' = Semgrep Registry rules. Can be a path or registry string.default: auto
context_graphBuild an agent context graph with lateral movement analysis. Models reachability between agents, servers, credentials, tools, and vulnerabilities. Answers: "If agent X is compromised, what else becomes reachable?" Returns: JSON with nodes, edges, lateral_paths, interaction_ris...3 params

Build an agent context graph with lateral movement analysis. Models reachability between agents, servers, credentials, tools, and vulnerabilities. Answers: "If agent X is compromised, what else becomes reachable?" Returns: JSON with nodes, edges, lateral_paths, interaction_ris...

Parameters* required
max_depthinteger
Max BFS depth for lateral path discovery (1-6, default 4).default: 4
config_pathvalue
Path to MCP config directory. Omit to auto-discover.
source_agentvalue
Agent name to compute lateral paths from. Omit for all agents.
graph_exportExport the agent dependency graph in graph-native formats. Formats: - **graphml** — yEd, Gephi, NetworkX compatible with AIBOM-typed attributes - **cypher** — Neo4j import script with AIBOM node labels (AIAgent, MCPServer, Package, Vulnerability) - **dot** — Graphviz (pipe thr...2 params

Export the agent dependency graph in graph-native formats. Formats: - **graphml** — yEd, Gephi, NetworkX compatible with AIBOM-typed attributes - **cypher** — Neo4j import script with AIBOM node labels (AIAgent, MCPServer, Package, Vulnerability) - **dot** — Graphviz (pipe thr...

Parameters* required
formatstring
Export format: graphml, cypher, dot, mermaid, or json (default).default: json
config_pathvalue
Path to MCP config directory. Omit to auto-discover.
analytics_queryQuery vulnerability trends, posture history, and runtime event summaries from ClickHouse. Requires AGENT_BOM_CLICKHOUSE_URL to be set. Returns empty results if ClickHouse is not configured.5 params

Query vulnerability trends, posture history, and runtime event summaries from ClickHouse. Requires AGENT_BOM_CLICKHOUSE_URL to be set. Returns empty results if ClickHouse is not configured.

Parameters* required
daysinteger
Lookback window in days (default 30). Used by vuln_trends and posture_history.default: 30
agentvalue
Filter by agent name. Used by vuln_trends and posture_history.
hoursinteger
Lookback window in hours (default 24). Used by event_summary.default: 24
limitinteger
Max results for top_cves (default 20).default: 20
query_typestring
Query type: vuln_trends, top_cves, posture_history, or event_summary
cis_benchmarkRun CIS benchmark checks against a cloud account. Evaluates security posture against CIS Foundations Benchmarks: - AWS Foundations v3.0: 18 checks (IAM, Storage, Logging, Networking) - Snowflake v1.0: 12 checks (Auth, Network, Data Protection, Monitoring, Access Control) - Azu...6 params

Run CIS benchmark checks against a cloud account. Evaluates security posture against CIS Foundations Benchmarks: - AWS Foundations v3.0: 18 checks (IAM, Storage, Logging, Networking) - Snowflake v1.0: 12 checks (Auth, Network, Data Protection, Monitoring, Access Control) - Azu...

Parameters* required
checksvalue
Comma-separated check IDs to run (e.g. '1.1,2.1'). Omit to run all.
regionvalue
AWS region (only for provider=aws). Defaults to us-east-1.
profilevalue
AWS CLI profile (only for provider=aws).
providerstring
Cloud provider: 'aws', 'snowflake', 'azure', or 'gcp'.
project_idvalue
GCP project ID (only for provider=gcp). Falls back to GOOGLE_CLOUD_PROJECT env var.
subscription_idvalue
Azure subscription ID (only for provider=azure). Falls back to AZURE_SUBSCRIPTION_ID env var.
fleet_scanBatch-scan a list of MCP server names against the security metadata registry. Designed for fleet inventory data (CrowdStrike, SIEM, CSV exports) where you have server names but not versions. Returns per-server risk assessment with registry match status, risk category, tools, c...1 params

Batch-scan a list of MCP server names against the security metadata registry. Designed for fleet inventory data (CrowdStrike, SIEM, CSV exports) where you have server names but not versions. Returns per-server risk assessment with registry match status, risk category, tools, c...

Parameters* required
serversstring
Comma-separated or newline-separated list of MCP server names to scan. E.g. '@modelcontextprotocol/server-filesystem, brave-search, glean, 50 sleep'.
runtime_correlateCross-reference vulnerability scan results with proxy runtime audit logs. Identifies which vulnerable tools were ACTUALLY CALLED in production, distinguishing confirmed attack surface from theoretical risk. Produces risk-amplified findings: a vulnerable tool that was called 10...3 params

Cross-reference vulnerability scan results with proxy runtime audit logs. Identifies which vulnerable tools were ACTUALLY CALLED in production, distinguishing confirmed attack surface from theoretical risk. Produces risk-amplified findings: a vulnerable tool that was called 10...

Parameters* required
audit_logstring
Path to proxy audit JSONL log file (generated by 'agent-bom proxy --log audit.jsonl').default:
otel_tracestring
Path to OTel OTLP JSON trace file for ML API provenance (detects deprecated/vulnerable model versions).default:
config_pathstring
Path to MCP config directory (e.g. ~/.config/claude) or 'auto' for default discovery.default: auto
vector_db_scanScan for running vector databases and assess their security posture. Probes well-known ports for Qdrant (6333), Weaviate (8080), Chroma (8000), and Milvus (9091). For each discovered instance checks: - Authentication required (no_auth flag if collections accessible without cre...1 params

Scan for running vector databases and assess their security posture. Probes well-known ports for Qdrant (6333), Weaviate (8080), Chroma (8000), and Milvus (9091). For each discovered instance checks: - Authentication required (no_auth flag if collections accessible without cre...

Parameters* required
hostsvalue
Comma-separated hosts to probe (default: 127.0.0.1). Example: '127.0.0.1,10.0.0.5'.
aisvs_benchmarkRun AISVS v1.0 (AI Security Verification Standard) compliance checks. Evaluates the local AI system stack against OWASP AISVS v1.0 controls: - AI-4.1 Model files use safe serialization (not pickle/pt/bin) - AI-4.2 Model files have cryptographic integrity digest - AI-4.3 Ollama...1 params

Run AISVS v1.0 (AI Security Verification Standard) compliance checks. Evaluates the local AI system stack against OWASP AISVS v1.0 controls: - AI-4.1 Model files use safe serialization (not pickle/pt/bin) - AI-4.2 Model files have cryptographic integrity digest - AI-4.3 Ollama...

Parameters* required
checksvalue
Comma-separated AISVS check IDs to run (e.g. 'AI-4.1,AI-6.1'). Omit to run all 9 checks.
gpu_infra_scanDiscover GPU/AI compute infrastructure: containers, K8s nodes, and DCGM endpoints. Scans for GPU-enabled workloads from the local Docker daemon and Kubernetes clusters. Identifies NVIDIA base images, CUDA/cuDNN versions, explicit GPU device assignments, and unauthenticated DCG...2 params

Discover GPU/AI compute infrastructure: containers, K8s nodes, and DCGM endpoints. Scans for GPU-enabled workloads from the local Docker daemon and Kubernetes clusters. Identifies NVIDIA base images, CUDA/cuDNN versions, explicit GPU device assignments, and unauthenticated DCG...

Parameters* required
probe_dcgmboolean
Whether to probe DCGM exporter endpoints on port 9400 (unauthenticated metrics leak detection).default: true
k8s_contextvalue
kubectl context to use for K8s GPU node discovery. Omit for current context.
dataset_card_scanScan a directory for ML dataset card metadata and provenance. Discovers and parses: - HuggingFace dataset_info.json (auto-generated metadata) - HuggingFace README.md YAML frontmatter (dataset cards) - DVC .dvc tracking files (data versioning provenance) Flags: UNLICENSED_DATAS...1 params

Scan a directory for ML dataset card metadata and provenance. Discovers and parses: - HuggingFace dataset_info.json (auto-generated metadata) - HuggingFace README.md YAML frontmatter (dataset cards) - DVC .dvc tracking files (data versioning provenance) Flags: UNLICENSED_DATAS...

Parameters* required
directorystring
Directory path to scan for dataset cards (dataset_info.json, README.md frontmatter, .dvc files).
training_pipeline_scanScan a directory for ML training pipeline lineage and provenance. Discovers and parses: - MLflow: meta.yaml, MLmodel, requirements.txt, conda.yaml - Kubeflow: Argo workflow YAML, KFP v2 pipelineSpec YAML - W&B: wandb-metadata.json, config.yaml, wandb-summary.json Flags: UNSAFE...1 params

Scan a directory for ML training pipeline lineage and provenance. Discovers and parses: - MLflow: meta.yaml, MLmodel, requirements.txt, conda.yaml - Kubeflow: Argo workflow YAML, KFP v2 pipelineSpec YAML - W&B: wandb-metadata.json, config.yaml, wandb-summary.json Flags: UNSAFE...

Parameters* required
directorystring
Directory path to scan for training pipeline artifacts (MLflow, Kubeflow, W&B).
browser_extension_scanScan installed browser extensions for dangerous permissions. Scans Chrome, Chromium, Brave, Edge, and Firefox for extensions with: - nativeMessaging (can execute arbitrary commands) - debugger (can intercept all browser traffic) - cookies/clipboardRead on AI domains - Broad ho...1 params

Scan installed browser extensions for dangerous permissions. Scans Chrome, Chromium, Brave, Edge, and Firefox for extensions with: - nativeMessaging (can execute arbitrary commands) - debugger (can intercept all browser traffic) - cookies/clipboardRead on AI domains - Broad ho...

Parameters* required
include_low_riskboolean
Include low-risk extensions in results (default: only medium+ risk).default: false
model_provenance_scanCheck ML model provenance and supply chain metadata. Queries HuggingFace Hub or Ollama for: - Serialization format (safetensors=safe, pickle/pt=unsafe) - SHA256 digest verification - Gated/private status - Model card presence - Risk assessment (critical/high/medium/safe) Retur...2 params

Check ML model provenance and supply chain metadata. Queries HuggingFace Hub or Ollama for: - Serialization format (safetensors=safe, pickle/pt=unsafe) - SHA256 digest verification - Gated/private status - Model card presence - Risk assessment (critical/high/medium/safe) Retur...

Parameters* required
sourcestring
Model source: 'huggingface' or 'ollama' (default: huggingface).default: huggingface
model_idstring
HuggingFace model ID (e.g. 'meta-llama/Llama-3-8B') or Ollama model name (e.g. 'llama3').
prompt_scanScan prompt template files for injection risks and security issues. Discovers and analyzes: - .prompt files - system_prompt.* files - Files in prompts/ directories Checks for injection patterns, unsafe variable interpolation, and missing guardrails in prompt templates.1 params

Scan prompt template files for injection risks and security issues. Discovers and analyzes: - .prompt files - system_prompt.* files - Files in prompts/ directories Checks for injection patterns, unsafe variable interpolation, and missing guardrails in prompt templates.

Parameters* required
directorystring
Directory path to scan for prompt template files (.prompt, system_prompt.*, prompts/ directories).
model_file_scanScan a directory for ML model files and assess serialization risks. Discovers model files and checks: - Serialization format (safetensors=safe, pickle/joblib=unsafe) - File size and format metadata - GGUF/GGML quantization details - Known unsafe patterns in pickle-based format...1 params

Scan a directory for ML model files and assess serialization risks. Discovers model files and checks: - Serialization format (safetensors=safe, pickle/joblib=unsafe) - File size and format metadata - GGUF/GGML quantization details - Known unsafe patterns in pickle-based format...

Parameters* required
directorystring
Directory path to scan for ML model files (.gguf, .safetensors, .onnx, .pt, .pkl, .h5, etc.).
ai_inventory_scanScan source code for AI component usage patterns. Detects: - AI SDK imports (openai, anthropic, langchain, etc.) across 7 languages - Model string references (gpt-4o, claude-3-5-sonnet, llama-3, etc.) - Hardcoded API keys (sk-proj-*, sk-ant-*, hf_*, etc.) - Deprecated model us...1 params

Scan source code for AI component usage patterns. Detects: - AI SDK imports (openai, anthropic, langchain, etc.) across 7 languages - Model string references (gpt-4o, claude-3-5-sonnet, llama-3, etc.) - Hardcoded API keys (sk-proj-*, sk-ant-*, hf_*, etc.) - Deprecated model us...

Parameters* required
directorystring
Directory to scan for AI SDK imports, model refs, API keys, shadow AI (Python/JS/TS/Java/Go/Rust/Ruby).
license_compliance_scanEvaluate package licenses against compliance policy. Categorizes each package license using the full SPDX catalog (2,500+ licenses) with proper expression parsing (OR/AND/WITH), deprecated ID normalization, and network-copyleft detection (AGPL, EUPL, OSL). Risk tiers: permissi...2 params

Evaluate package licenses against compliance policy. Categorizes each package license using the full SPDX catalog (2,500+ licenses) with proper expression parsing (OR/AND/WITH), deprecated ID normalization, and network-copyleft detection (AGPL, EUPL, OSL). Risk tiers: permissi...

Parameters* required
scan_jsonstring
JSON string of a previous scan result (from the 'scan' tool) containing agents with packages. Or a JSON array of {"name": "pkg", "version": "1.0", "ecosystem": "npm", "license": "MIT"} objects.
policy_jsonstring
Optional JSON policy: {"license_block": ["GPL-*"], "license_warn": ["LGPL-*"]}. Uses default policy (block GPL/AGPL/SSPL/BUSL/EUPL/OSL, warn LGPL/MPL/EPL/CDDL) if empty.default:
ingest_external_scanIngest Trivy, Grype, or Syft JSON scan output and return packages with blast radius analysis. Auto-detects the scanner format from the JSON structure: - Trivy (``trivy fs --format json``): Results + Vulnerabilities - Grype (``grype --output json``): matches array - Syft (``syf...1 params

Ingest Trivy, Grype, or Syft JSON scan output and return packages with blast radius analysis. Auto-detects the scanner format from the JSON structure: - Trivy (``trivy fs --format json``): Results + Vulnerabilities - Grype (``grype --output json``): matches array - Syft (``syf...

Parameters* required
scan_jsonstring
JSON string from Trivy, Grype, or Syft scan output

agent-bom

Build PyPI Docker License OpenSSF Scorecard agent-bom on Glama agent-bom on Smithery

Open security scanner and self-hosted control plane for AI, MCP, and cloud infrastructure.

Headless agent primitives and human cockpit surfaces over one shared evidence model.

Live demo (read-only sandbox) · Docs · First Run · Self-host · GitHub Action · Docker · Changelog

First Run

pip install agent-bom
agent-bom scan -p .

agent-bom scan -p . prints a posture grade, blast radius, and fix-first findings inline — nothing to open. Optional next steps:

agent-bom db update                     # local vuln DB for --offline package/image scans
agent-bom quickstart --run --offline    # sample scan, gateway policy seed, dashboard data
agent-bom scan -p . -f html -o agent-bom-report.html

Then review posture as a team: pip install 'agent-bom[ui]' && agent-bom serve. Guided path: docs/FIRST_RUN.md · UI screenshots: docs/CAPTURE.md

agent-bom terminal demo

Product screenshots — packaged dashboard on seeded demo data

Overview command center with posture ring, findings breakdown, scan coverage, and environment tabs
Overview command center — posture ring, findings breakdown, scan coverage, environment tabs

Overview lower frame with exposure path and feed and analytics tabs
Overview — exposure path with feed and analytics tabs

Connections hub with connector gallery across cloud, code, AI, and data sources
Connections hub — connector gallery across cloud, code, AI, and data sources

New Scan form with connected account, ad-hoc, and public repo modes
New Scan — connected account, ad-hoc, and public repo modes

Fix-first attack-path queue with graph evidence export
Security graph — fix-first attack-path queue with evidence export

Lineage topology across environment, identity, MCP, package, credential, model, dataset, and finding nodes
Lineage graph — bounded topology across environment, identity, MCP, package, credential, model, dataset, and finding nodes

Agent-scoped context map with reachable MCP servers and lateral movement side panel
Context map — agent-scoped reachable MCP servers with lateral-movement panel

Agent mesh graph across agents, MCP servers, packages, tools, and findings
Blast radius — agent → MCP server → package → tool → CVE

Runtime gateway KPI rollup and live tool-call feed
Runtime gateway — KPI rollup and live tool-call feed

Fleet lifecycle review state with owner and environment
Fleet — lifecycle review state, owner, and environment

Audit log filtered to identity resources with HMAC integrity counters
Audit — identity lifecycle with tamper-evident HMAC counters

Findings queue with seeded package and CVE evidence
Findings — package and CVE evidence from the seeded demo estate

Fix-first remediation table with prioritized packages
Remediation — prioritized fix list with framework context

Synthetic seeded evidence for docs proof, captured from the real Next.js routes with a visible Demo data — sample environment label — not a claim these entities came from a buyer environment. Regenerate from the UI package with npm run capture:product-proof (see docs/CAPTURE.md). CLI demo GIF: bash scripts/render_demo_gif.sh.

Who It's For

agent-bom personas mapped to value proof: AppSec/GRC to SARIF and compliance, Platform/SRE to fleet sync and CI gates, agent builders to MCP inventory and runtime shield, security engineers to findings queue and attack paths

Four buyer lanes · one shared evidence model from scan → graph → report

Persona lane detail
  • AppSec / GRC — SARIF, compliance packs, and audit-ready exports from one scan.
  • Platform / SRE — fleet sync, Helm deploy, CI gates, SBOM — no separate scanner stack.
  • Agent builders — MCP inventory, Shield SDK, optional runtime proxy or gateway enforcement.
  • Security engineers — findings queue, attack-path drilldown, blast-radius context in CLI, API, and UI.

MCP server mode

  • Advertises 75 MCP tools, 6 resources, and 8 workflow prompts.
  • Registry metadata lives in the committed Smithery manifest and Glama listing; install and liveness checks are in the integration docs.

Architecture & how it works

One package, full stack: a React / Next.js cockpit and every headless caller hit the same FastAPI control plane, behind one middleware seam, over the same scan pipeline and stores. Everything normalizes into one Finding and one ContextGraph, so posture, blast radius, and enforcement read from a single evidence set. Deeper module and surface detail lives in docs/ARCHITECTURE.md.

The stack — UI ⇄ API + middleware ⇄ pipeline/enrichment ⇄ stores:

flowchart TB
    UI["React / Next.js UI<br/>exec single-pane · engineer drill"]
    HL["Headless<br/>CLI · MCP server · agents / CI"]
    MW["Middleware — one seam for every caller<br/>auth · tenant scope · RLS · rate-limit · audit"]
    API["FastAPI + uvicorn control plane<br/>REST API · MCP tools"]
    PIPE["Scan pipeline + scanners<br/>discover · OSV / advisories · reachability · cloud / CIS · IaC"]
    ENR["Enrichment<br/>NVD CVSS · EPSS · CISA KEV · distro advisories"]
    ST["Stores<br/>SQLite / Postgres + correlated graph store"]

    UI --> MW
    HL --> MW
    MW --> API
    API --> PIPE --> ENR --> ST
    API --> ST

The workflow — one read-only pipeline from source to answer:

flowchart LR
    C["connect<br/>read-only · brokered"] --> D["discover<br/>estate · agents · MCP"]
    D --> S["scan<br/>OSV · advisories · CIS · IaC"]
    S --> E["enrich<br/>CVSS · EPSS · KEV · reachability"]
    E --> R["correlate<br/>finding → asset → identity → config"]
    R --> G["graph<br/>blast radius · attack paths"]
    G --> X["serve<br/>exec read + engineer drill"]

Every stage is read-only and agentless; the dashboard shows live per-stage status rather than a black box.

Frontend — the human cockpit
  • Next.js 16 · React 19 · Tailwind 4 (ui/), built with next build.
  • Two altitudes in one pane: an exec single-pane read (posture, top risks, compliance evidence) that drills to engineer detail (reachability, path, fix).
  • Inventory, findings, graph, compliance, and runtime views all render from the same API — no privileged "UI-only" data path.
Backend — the FastAPI control plane
  • FastAPI + uvicorn, pure Python 3.11+ end to end (src/agent_bom/api/server.py).
  • The scan pipeline (src/agent_bom/api/pipeline.py, ScanPipeline) runs on a bounded ThreadPoolExecutor — heavy scan/DB work is offloaded off the event loop so reads stay responsive.
  • Stores scale without a rewrite: SQLite (default / single node) → Postgres (multi-replica), plus a correlated graph store.
  • Headless parity: the MCP server and CLI expose the same evidence to agents and CI, not just the UI.
Enrichment — from a CVE row to real-world risk
  • Scanners emit raw findings (src/agent_bom/scanners/ — OSV batch, GHSA, distro and vendor advisories); src/agent_bom/enrichment.py layers NVD CVSS · EPSS · CISA KEV and distro advisory data on top.
  • AST reachability (src/agent_bom/reachability_cve.py) resolves whether a vulnerable symbol is actually reachable — ranking by exploitability, not just CVSS.
  • The result feeds severity, exploitability, and blast-radius scoring.
  • Confidence tiers and the NVD key model are covered in the Accuracy model section below.
Correlated graph — the moat
  • ContextGraph / UnifiedGraph (src/agent_bom/context_graph.py) fuses assets → identities → configs/misconfigs → findings → attack paths into one connected model.
  • A vulnerable package links to the MCP server that loads it, the tools it exposes, reachable credential references, and the agents that can call it — a reachable blast radius, not an isolated CVE row.
  • Estate-scale CONTAINS roll-up keeps it readable and sargable at scale; the full contract is in docs/graph/CONTRACT.md.

Auth & Connections

The honest model — connect once, then every action runs through the stored connection. There is never a per-action credential prompt and no "paste your laptop login" to run a scan or push a result.

  • Humans sign in via OAuth / OIDC / SAML SSO (standard providers plus a Snowflake OAuth authorization-code + PKCE flow), with SCIM for user and group provisioning (src/agent_bom/api/{oidc,saml,scim}.py, snowflake_oauth.py).
  • Agents / CI authenticate with scoped API keys / tokens.
  • Sources (AWS, Azure, GCP, Snowflake) are onboarded once through read-only, agentless, brokered connectors — a single least-privilege managed role per source with short-lived, brokered credentials (e.g. AWS sts:AssumeRole); connection secrets are write-only (encrypted at rest, never read back). Setup and the exact grant per provider live in docs/CLOUD_CONNECT.md; the enterprise auth surface is in docs/ENTERPRISE.md.

Auth, tenant isolation, and audit are enforced once in middleware for the UI, agents, and SDKs alike — there is no privileged backdoor.

Control-plane architecture

agent-bom layered control-plane architecture

Blast radius drilldown

agent-bom blast-radius drilldown — package to finding to MCP server to agent

package -> vulnerability finding -> MCP server -> tools + credential refs -> agent
What it is — scanner, ContextGraph, and blast radius
  • Scanner + control plane — read-only, self-hosted, over local projects, agent fleets, MCP runtimes, and cloud estates (AWS, Azure, GCP, Snowflake).
  • ContextGraph — the unified evidence graph across CLI, API, UI, MCP tools, reports, and gateway decisions. Findings, assets, packages, cloud resources, identities, agents, MCP servers, credentials, and runtime decisions all normalize into it, so posture, blast radius, and enforcement read from one evidence set.
  • Blast radius — the core idea: a vulnerable package links to the MCP server that loads it, the tools it exposes, reachable credential references, and the agents that can call it — not just a CVE row.

Coverage depth and honest boundaries: AI infrastructure scanning · product boundaries

Accuracy model — match-confidence tiers and NVD key model

agent-bom normalizes advisory and distro evidence into canonical CVE findings with match-confidence tiers:

distro_confirmed > osv_range > osv_ecosystem > unfixed_distro > nvd_cpe_candidate

Distro-confirmed findings are treated as confirmed. Optional NVD CPE candidate matching widens long-tail OS/vendor software coverage, but remains review-grade and off by default.

NVD key model. End users do not need an NVD API key. CVE/CPE enrichment ships through the distributed vulnerability database. NVD_API_KEY is only an optional self-hosted freshness knob for operators rebuilding or refreshing the database.

Matching mechanics and release evidence: vulnerability matching · scanner accuracy baseline

Run It Anywhere

Two ladders: how you consume the shared evidence model, and where you run the control plane. You run it in your own boundary — no managed public SaaS in this repo yet.

Surfaces — one real command each:

  • CLI / CI — agent-bom scan -p . (or the GitHub Action).
  • Self-hosted platform — pip install 'agent-bom[ui]' && agent-bom serve — dashboard + API on one host.
  • Headless — agent-bom serve --no-ui + agent-bom mcp server for agents and CI.
  • Runtime proxy / gateway — agent-bom gateway serve — allow/warn/block audit trail.
  • Reports / exports — agent-bom scan -p . -f sarif -o findings.sarif.

Deploy targets — where the control plane runs, fastest → most-managed:

  • Docker Compose — fastest; one file, loopback by default → pilot compose
  • Helm / Kubernetes — cluster-native chart → chart
  • EKS — opinionated Terraform module → module
  • CloudFormation — one-click AWS stack → templates
  • Snowflake (SPCS native app) — host entirely inside your own Snowflake account → install guide
Local bring-up — Docker Compose in two commands
curl -fsSL https://raw.githubusercontent.com/msaad00/agent-bom/main/deploy/docker-compose.pilot.yml -o docker-compose.pilot.yml
docker compose -f docker-compose.pilot.yml up -d
# Dashboard -> http://localhost:3000

Pilot compose binds to 127.0.0.1 with loopback CORS only. Use docker-compose.platform.yml or docs/HOSTED_POC.md before sharing a link. Full guides: Deploy anywhere.

Start Here

Every lane writes into the same Finding and ContextGraph model. Pick the entry point that matches your role; see docs/PRODUCT_MAP.md for all entry points, auth boundaries, and surface detail.

NeedSurfaceFirst actionMain artifact
Scan a repo, image, or local agent configCLI / CIagent-bom scan -p .JSON, SARIF, SBOM, HTML
Connect cloud and data-estate evidenceCloud connectorsagent-bom connect aws then agent-bom cloud scanassets, CIS findings, graph edges
Review posture as a teamAPI + dashboardpip install 'agent-bom[ui]' && agent-bom servefindings, graph, audit, compliance
Give agents security toolsMCP serveragent-bom mcp serverstrict MCP tool responses
Govern runtime tool callsProxy / gatewayagent-bom gateway serveallow/warn/block audit trail
Package evidence for auditReports / exportsagent-bom scan -p . -f html -o report.htmlSARIF, CycloneDX, SPDX, JSON, HTML/PDF, compliance bundle
GoalCommand
Multi-hop exposure pathsagent-bom graph
LLM cost forecastagent-bom cost forecast
Non-human identity postureagent-bom identity credential-expiry
Advisory remediation planagent-bom remediate -p .
Gated-capability readinessagent-bom capabilities
CI gateuses: msaad00/agent-bom@v0.96.3

Full command map: docs/CLI_MAP.md · role routing: docs/START_HERE.md · repo layout: PROJECT_STRUCTURE.md

Cloud, Deploy, Trust

Cloud (read-only). Four connectors — AWS, Azure, GCP, Snowflake — are opt-in, agentless, and default-off. No secret values are read or stored. agent-bom connect <provider> prints the grant template and enable flag without network I/O until you opt in. Full intake map: docs/DATA_SOURCES.md

CloudEnableScan
AWSAGENT_BOM_AWS_INVENTORY=1agent-bom cloud aws
AzureAGENT_BOM_AZURE_INVENTORY=1agent-bom cloud azure
GCPAGENT_BOM_GCP_INVENTORY=1agent-bom cloud gcp
SnowflakeSSO or key-pair authpip install 'agent-bom[snowflake]' then agent-bom scan --snowflake

Snowflake auth defaults to browser SSO (externalbrowser); use SNOWFLAKE_AUTHENTICATOR=snowflake_jwt with SNOWFLAKE_PRIVATE_KEY_PATH for CI. agent-bom authenticates through the Python connector — no snowsql session needed. Setup and grants: docs/CLOUD_CONNECT.md

Deploy. Run in your own boundary — the Run It Anywhere ladders above cover Compose, Helm, EKS, CloudFormation, and the Snowflake SPCS native app. Full deploy guides: Deploy anywhere · Hosted POC · Helm · EKS module · CloudFormation · Snowflake native app · Docker Hub

Trust.

  • Read-only discovery by default; no mandatory telemetry.
  • Credential values redacted; env names preserved for explainable exposure paths.
  • Exports: JSON, SARIF, CycloneDX, SPDX, Parquet, CSV, Markdown, HTML, PDF, compliance bundles.
  • Tenant scope, auth boundaries, and audit evidence on API/runtime paths.

Threat model · Pentest readiness · Python client · Go client · Release verification · MCP security model

Contributing

Contributions are welcome. Start with CONTRIBUTING.md, .agents/AGENTS.md, and the open issues.

License: Apache-2.0.

Featured
CodeRabbit
CodeRabbit
AI writes the code. CodeRabbit catches the slop.
Try For Free →
AppSignal
AppSignal
Monitor with ease. Code with confidence.
Start Free Trial →
AI notepad for back-to-back meetings
AI notepad for back-to-back meetings
Notes, actions and memory. Without a meeting bot. First month 100% off.
Download for free →
Keep your Mac awake
Keep your Mac awake
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Email for Agents: Free tier availableEmail for Agents: Free tier available
Email for Agents: Free tier available
Give your AI agent a complete email layer—sending, inbound inboxes, and sandbox testing.
Get 4K emails/month free →
Context.devContext.dev
Context.dev
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
CodeScene MCP ServerCodeScene MCP Server
CodeScene MCP Server
Your agent targets a perfect 10 Code Health score. Deterministic. Every commit.
Try For Free →
Make your agent a DeFi expert
Make your agent a DeFi expert
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →

Configuration

NVD_API_KEYsecret

NVD API key for higher rate limits on vulnerability enrichment

Categories
AI & LLM ToolsCloud & InfrastructureSecurity & Pentesting
Registryactive
Packageagent-bom
TransportSTDIO
AuthRequired
UpdatedApr 28, 2026
View on GitHub

Related AI & LLM Tools MCP Servers

View all →
SkillFM LLM Cost Optimizer

io.github.ericm1018/skillfm-llm-cost-optimizer-openai-anthropic-usage

LLM cost optimizer for OpenAI, Anthropic, token usage, BYOK, and SkillFM Beacon audits.
Llm Orchestration Agent

io.github.mikerawsonnz/llm-orchestration-agent

Run a prompt through a LangChain (system + human) chain over Gemini on Vertex AI; optional LangSmith
Authenticated Llm Agent

io.github.mikerawsonnz/authenticated-llm-agent

JWT-gated LLM gateway: authenticate (bcrypt/JWT), then run a LangChain-on-Vertex Gemini completion.
Copilot Memory MCP

labforgedev/copilot-memory-mcp

Persistent semantic memory for AI agents using local ChromaDB vector search. No cloud required.
1
Agent Prompt Injection Firewall Mcp

csoai-org/agent-prompt-injection-firewall-mcp

The WAF for agents. Pattern-based + heuristic firewall scans prompts, RAG documents, tool argume...
Authenticated Multi Llm Agent

io.github.mikerawsonnz/authenticated-multi-llm-agent

Google-OAuth-gated LLM gateway: verify a Google ID token, then run a Gemini (Vertex AI) completion f