Skip to main content
Glama
agentverus

AgentVerus MCP Server

Official
by agentverus

AgentVerus MCP Server

Security scanning for AI agent skills, exposed as MCP tools. Scan skills from ClawHub, GitHub, skills.sh, or raw URLs — directly from your AI agent.

164 tests · 6 analyzers · ASST taxonomy · Hosted trust_check commerce

Quick Start

Add to your agent's MCP configuration:

Published package: agentverus-scanner-mcp

If you want the hosted commercial tools (list_offers, trust_check), set:

  • AGENTVERUS_API_KEY for authenticated calls to https://agentverus.ai/api/v1/trust/check

  • AGENTVERUS_BASE_URL only if you need a non-production AgentVerus base URL

Claude Desktop / Cursor / Windsurf

{
  "mcpServers": {
    "agentverus": {
      "command": "npx",
      "args": ["-y", "agentverus-scanner-mcp"]
    }
  }
}

OpenClaw

{
  "mcp": {
    "agentverus": {
      "command": "npx",
      "args": ["-y", "agentverus-scanner-mcp"]
    }
  }
}

Related MCP server: securityscan

Tools

check_skill

Check a skill by name or identifier. Resolves ClawHub slugs, GitHub repos, and skills.sh paths automatically.

check_skill({ source: "web-search" })
check_skill({ source: "vercel-labs/agent-skills/react-best-practices" })

list_offers

Fetch the machine-readable AgentVerus offer catalog.

list_offers({})

trust_check

Call the hosted AgentVerus Trust Check SKU. Requires AGENTVERUS_API_KEY.

trust_check({ url: "https://raw.githubusercontent.com/owner/repo/main/SKILL.md" })
trust_check({ skillId: "11111111-1111-1111-1111-111111111111" })

scan_url

Scan a skill from any URL — GitHub, ClawHub, skills.sh, or raw SKILL.md.

scan_url({ url: "https://github.com/owner/repo" })

scan_skill

Scan skill content directly (pass the raw SKILL.md text).

scan_skill({ content: "---\nname: my-skill\n---\n# My Skill\n..." })

explain_finding

Get a detailed explanation of any ASST security category.

explain_finding({ id: "ASST-06" })

Resources

  • agentverus://taxonomy — Full ASST taxonomy (11 categories)

  • agentverus://offers — Hosted offer catalog and billing metadata

  • agentverus://about — Scanner info and capabilities

What It Scans For

The scanner checks for 11 categories of agent-specific security risks:

ID

Category

Examples

ASST-01

Instruction Injection

Hidden directives in HTML comments

ASST-02

Data Exfiltration

Unauthorized outbound data transfers

ASST-03

Privilege Escalation

Excessive permission requests

ASST-04

Dependency Hijacking

Compromised URLs, curl|sh patterns

ASST-05

Credential Harvesting

Reading env vars + network sends

ASST-06

Prompt Injection Relay

Unvalidated external content processing

ASST-07

Unverified Package

Unknown/unscanned dependencies

ASST-08

Obfuscation

Encoded payloads, minified scripts

ASST-09

Missing Safety Boundaries

No scope limits or error handling

ASST-10

Persistence Abuse

Exploitable state storage

ASST-11

Trigger Manipulation

Overly broad activation patterns

Trust Badges

Badge

Score

Meaning

🟢 Certified

95-100

No significant security concerns

🟡 Conditional

85-94

Minor concerns, review recommended

🟠 Suspicious

60-84

Significant concerns, manual review required

🔴 Rejected

0-59

Critical security issues found

License

MIT

A
license - permissive license
-
quality - not tested
D
maintenance

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/agentverus/mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server