agent-guard-mcp
Provides tools to check the safety of npm packages and verify npm lockfiles before installation.
Provides tools to verify the safety of pnpm lockfiles before installation.
Provides tools to verify the safety of Poetry lockfiles before installation.
Provides tools to check the safety of PyPI packages and verify lockfiles before installation.
Provides tools to verify the safety of Yarn lockfiles before installation.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@agent-guard-mcpcheck if package 'lodash' is safe to add"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
agent-guard-mcp
Verify-before-act safety tools for AI coding agents. Call these before installing a dependency, merging a CI change, or installing a third-party skill/plugin — so an agent refuses hallucinated packages, typosquats, poisoned manifests, and compromised CI actions.
Exposes four MCP tools (also available as a plain HTTP service):
Tool | Use before… | Returns |
| adding a single npm/PyPI dependency | OK / SUSPICIOUS / DANGER + typosquat/slop flags |
| running | scans every direct + transitive dep in a lockfile |
| installing a Cursor/Claude skill or MCP/Smithery plugin | poison-signature + scope-overreach + drift score 0–100 |
| merging a PR that touches CI | flags mutable action pins, compromised actions, curl|bash, pwn-requests, secret exposure |
Why
AI agents routinely hallucinate package names (slopsquatting), trust LLM-generated lockfiles, install unvetted skill packs, and pin CI actions to mutable tags. Each is a live supply-chain vector. This server gives an agent a cheap "is this safe?" call before it acts.
Related MCP server: DepScope
Install (MCP client)
{
"mcpServers": {
"agent-guard": { "command": "npx", "args": ["-y", "agent-guard-mcp"] }
}
}Or run directly:
npm install
node src/mcp-server.mjs # stdio MCP server
npm run http # optional HTTP mirror on :8402HTTP endpoints (mirror of the MCP tools)
GET /check?name=<pkg>&ecosystem=<npm|pypi>POST /check-lockfile {lockfile_content, format}— format ∈ package-lock.json | yarn.lock | pnpm-lock.yaml | poetry.lock | requirements.txtPOST /score-manifest {manifest_type, manifest_content}POST /check-workflow {workflow_content}
License
MIT.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/liminalpepe/agent-guard-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server