| scanA | Run a full AI supply chain security scan and return an AI-BOM. Point it at a target with one of:
• repo_url — a public git repo URL (cloned + scanned, no checkout)
• config_path — a local project / MCP-config directory
• image — a Docker image
• sbom_path — an existing CycloneDX/SPDX SBOM
• package — a single package or MCP launch command
With none of these, it auto-discovers local MCP clients (Claude Desktop,
Cursor, Windsurf, VS Code Copilot, OpenClaw, etc.).
It extracts package dependencies, queries OSV.dev for CVEs, assesses
config security (credential exposure, tool access), computes blast
radius, and returns structured results. Scanning is fully static and
read-only — repository and image contents are parsed, never executed.
Returns:
JSON with the complete AI-BOM report including agents, packages,
vulnerabilities, blast radius, and remediation guidance.
|
| checkA | Check a specific package for known CVEs before installing. Queries OSV.dev for vulnerabilities in the given package. Use this
before installing an MCP server or dependency to verify it is safe.
Args:
package: Package name with optional version, e.g. "express@4.18.2",
"@modelcontextprotocol/server-filesystem@2025.1.14",
or just "requests" (resolves @latest).
ecosystem: Package ecosystem — "npm", "pypi", "go", "cargo",
"maven", "nuget", "rubygems", "composer", "swift",
"pub", "hex", "conda", "deb", "apk", or "rpm".
Defaults to "npm".
Returns:
JSON with package, version, ecosystem, vulnerability count,
and vulnerability details (id, severity, cvss, fix version, summary).
|
| intel_lookupA | Look up one advisory from the local threat-intel database. |
| intel_matchA | Match package inventory coordinates to local threat-intel advisories. |
| intel_sourcesA | Return canonical threat-intel sources and local feed-run freshness. |
| intel_daily_briefA | Return a local analyst threat brief from governed intel sources. |
| blast_radiusA | Look up the blast radius of a specific CVE across your AI agent setup. Scans local MCP configurations, finds the specified CVE, and returns
the full attack chain: which packages are affected, which MCP servers
use those packages, which agents connect to those servers, and what
credentials and tools are exposed.
Args:
cve_id: The CVE identifier (e.g. "CVE-2024-1234" or "GHSA-xxxx").
Returns:
JSON with blast radius details including risk_score,
affected_servers, affected_agents, exposed_credentials, and
exposed_tools. Returns found=false if CVE not found.
|
| exposure_pathsA | Return ranked ExposurePath JSON for headless security agents. This is the agent-native graph surface: Claude, Cursor, Codex,
Windsurf, Cortex, and other MCP clients can request the same
investigation objects used by the dashboard without scraping UI state.
|
| should_i_deployA | Return an allow / warn / block deploy decision from graph exposure risk. Resolves a deployment candidate against the latest security-graph
snapshot, ranks its reachable ExposurePaths by risk score, and maps the
top score to a gate decision using the warn/block thresholds.
Args:
candidate: Package, resource, CVE, graph node ID, or deployment
label to evaluate.
tenant_id: Tenant whose graph snapshot to read (default ``default``).
scan_id: Specific graph scan ID; omit to use the latest snapshot.
limit: Maximum matched exposure paths to return (1-25).
warn_risk: Risk score at or above which the decision becomes warn.
block_risk: Risk score at or above which the decision becomes block.
Returns:
JSON with the ``decision`` (allow/warn/block), the driving risk
score, and the ranked exposure paths behind it.
Call this as a pre-deployment gate to get a single machine-readable
verdict instead of interpreting raw findings.
|
| policy_checkA | Evaluate a security policy against current scan results. Runs a scan, then evaluates the provided policy rules against the
findings. Policies can gate on severity thresholds, CISA KEV status,
AI risk flags, credential exposure, and denied packages.
Args:
policy_json: JSON string containing policy rules. Example:
{"rules": [{"id": "no-critical", "severity_gte": "critical",
"action": "fail"}, {"id": "no-kev", "kev": true, "action": "fail"}]}
Returns:
JSON with passed (bool), violations list, failure_count, and
warning_count.
|
| registry_lookupA | Query the agent-bom MCP server threat intelligence registry. Look up risk level, known tools, credential requirements, and
verification status for known MCP servers. The registry contains
109+ servers with security metadata.
Args:
server_name: MCP server name to look up (e.g. "filesystem",
"@modelcontextprotocol/server-github").
package_name: Package name to search for (e.g. "mcp-server-sqlite").
At least one of server_name or package_name is required.
Returns:
JSON with registry entry: risk_level, verified, tools,
credential_env_vars, risk_justification. Returns found=false
if not found.
|
| generate_sbomA | Generate a Software Bill of Materials (SBOM) for your AI agent setup. Discovers AI agents and MCP servers, extracts all package dependencies,
and generates a standards-compliant SBOM.
Args:
format: SBOM format — "cyclonedx" (CycloneDX 1.6) or "spdx" (SPDX 3.0).
config_path: Path to a specific MCP config directory.
If not provided, auto-discovers all local agent configs.
Returns:
JSON string containing the SBOM in the requested format.
|
| complianceA | Get OWASP LLM Top 10 / OWASP MCP Top 10 / MITRE ATLAS / NIST AI RMF compliance posture. Scans local MCP configurations, maps findings to 47 security controls
across four AI security frameworks, and returns per-control
pass/warning/fail status with an overall compliance score.
Args:
config_path: Path to a specific MCP config directory.
If not provided, auto-discovers all local agent configs.
image: Docker image reference to scan (e.g. "nginx:1.25").
Returns:
JSON with overall_score (0-100), overall_status (pass/warning/fail),
and per-control details for OWASP LLM Top 10 (10 controls),
OWASP MCP Top 10 (10 controls), MITRE ATLAS (13 techniques),
and NIST AI RMF (14 subcategories).
|
| remediateA | Generate a remediation plan for vulnerabilities in your AI agent setup. Scans for vulnerabilities, then generates actionable fix commands for
each affected package (npm install, pip install), credential scope
reduction guidance, and reports on unfixable vulnerabilities.
Args:
config_path: Path to a specific MCP config directory.
If not provided, auto-discovers all local agent configs.
image: Docker image reference to scan (e.g. "nginx:1.25").
Returns:
JSON with package_fixes (upgrade commands by ecosystem),
credential_fixes (scope reduction steps), and unfixable items.
|
| verifyA | Verify package integrity and SLSA provenance against registries. Checks SHA-256/SRI hashes against npm/PyPI registries and looks up
SLSA build provenance attestations to confirm the package was built
from its claimed source repository.
Returns:
JSON with integrity verification (hash match, expected vs actual)
and provenance status (SLSA level, source repo, build trigger).
|
| skill_scanA | Scan skill and instruction files for trust, findings, and provenance. |
| skill_verifyA | Verify Sigstore provenance for skill and instruction files. |
| skill_trustA | Assess the trust level of a SKILL.md file using ClawHub-style categories. |
| whereA | Show all MCP discovery paths and which config files exist. |
| inventoryA | List all discovered MCP configurations and servers without CVE scanning. |
| tool_risk_assessmentA | Live-introspect MCP servers and score each tool's capability risk. Discovers configured MCP clients, connects to their servers, calls
``tools/list``, and classifies every exposed tool by capability
(filesystem, network, code execution, credential access) to produce a
per-tool and per-server risk score from what the servers actually
advertise at runtime.
Args:
config_path: MCP client config directory to read; auto-discovers all
supported clients when omitted.
timeout: Per-server introspection timeout in seconds.
Returns:
JSON with per-server tool inventories, per-tool capability classes
and risk levels, and an aggregate server risk rating.
Use this to assess the blast radius of MCP servers an agent can reach
before granting or trusting their tools.
|
| diffA | Compare a fresh scan against a baseline to find new and resolved vulns. Runs a new scan, then diffs it against the provided baseline (or the
latest saved report). Shows new vulnerabilities, resolved ones, and
changes in the package inventory.
Returns:
JSON with new findings, resolved findings, new/removed packages,
and a human-readable summary.
|
| marketplace_checkA | Pre-install trust check for an MCP server package. Queries the package registry (npm or PyPI) for metadata and
cross-references against the agent-bom MCP threat intelligence registry.
Returns trust signals including download count, CVE status, and
registry verification.
Args:
package: Package name to check.
ecosystem: 'npm' or 'pypi'. Defaults to 'npm'.
Returns:
JSON with name, version, ecosystem, cve_count, download_count,
registry_verified, and trust_signals.
|
| code_scanA | Run SAST (Static Application Security Testing) on source code via Semgrep. Scans for security flaws: SQL injection, XSS, command injection,
hardcoded credentials, insecure deserialization, path traversal, etc.
Returns findings with CWE classifications and severity levels.
Requires ``semgrep`` on PATH (``pip install semgrep``).
|
| context_graphA | Build an agent context graph with lateral movement analysis. Models reachability between agents, servers, credentials, tools,
and vulnerabilities. Answers: "If agent X is compromised, what
else becomes reachable?"
Returns:
JSON with nodes, edges, lateral_paths, interaction_risks, and stats.
|
| graph_exportA | Export the agent dependency graph in graph-native formats. Formats:
- **graphml** — yEd, Gephi, NetworkX compatible with AIBOM-typed attributes
- **cypher** — Neo4j import script with AIBOM node labels (AIAgent, MCPServer, Package, Vulnerability)
- **dot** — Graphviz (pipe through ``dot -Tsvg``)
- **mermaid** — embed in markdown, GitHub, Notion
- **json** — machine-readable nodes/edges list
Returns:
Graph in the requested format as a string.
|
| analytics_queryA | Query vulnerability trends, posture history, and runtime event summaries from ClickHouse. Requires AGENT_BOM_CLICKHOUSE_URL to be set. Returns empty results if
ClickHouse is not configured.
|
| cis_benchmarkA | Run CIS benchmark checks against a cloud account. Evaluates security posture against CIS Foundations Benchmarks:
- AWS Foundations v3.0: 18 checks (IAM, Storage, Logging, Networking)
- Snowflake v1.0: 12 checks (Auth, Network, Data Protection, Monitoring, Access Control)
- Azure Security Benchmark v3.0: 10 checks (IAM, Storage, Logging, Networking, Key Vault)
- GCP Foundation v3.0: 8 checks (IAM, Logging, Networking, Storage)
All checks are read-only. Failed checks include MITRE ATT&CK Enterprise technique mappings.
Requires appropriate credentials for the chosen provider.
Returns:
JSON with per-check pass/fail results, evidence, severity, ATT&CK techniques, and pass rate.
|
| fleet_scanA | Batch-scan a list of MCP server names against the security metadata registry. Designed for fleet inventory data (EDR, SIEM, CSV exports) where
you have server names but not versions. Returns per-server risk assessment
with registry match status, risk category, tools, credentials, known CVEs,
and a verdict (known-high-risk, known-medium, known-low, unknown-unvetted).
Risk levels are category-derived (filesystem=high, database=medium,
search=low), not made-up threat scores. Every field is traceable to a source.
Returns:
JSON with summary (total, matched, unmatched, risk breakdown)
and per-server details.
|
| runtime_correlateA | Cross-reference vulnerability scan results with proxy runtime audit logs. Identifies which vulnerable tools were ACTUALLY CALLED in production,
distinguishing confirmed attack surface from theoretical risk. Produces
risk-amplified findings: a vulnerable tool that was called 100 times is
higher priority than one never invoked.
Also accepts an OTel trace file (``otel_trace``) to extract ML API call
provenance: which models were called, token usage, and deprecation advisories.
Requires a proxy audit log (generated by running agent-bom proxy with
the --log flag). Without an audit log, returns scan results only.
Returns:
JSON with correlated findings (CVE + tool call data + amplified risk),
summary stats, uncalled vulnerable tools, and ml_api_calls provenance.
|
| runtime_production_indexA | Return metadata-only runtime production posture for agent/tool traffic. Summarizes tool-call volume, block rate, policy decisions, authorization
trace posture, alerts, active sources/sessions, freshness, and retention
mode without returning prompts, raw arguments, responses, or credential
values. |
| runtime_blueprintsA | Return canonical role/profile blueprints for runtime policy design. |
| runtime_blueprint_driftA | Compare current runtime traffic with an approved role/profile blueprint. |
| cost_reportA | Return LLM spend attribution (per agent/model/provider) and budget posture. Spend is derived from token counts on ingested OpenTelemetry GenAI spans
priced via agent-bom's open cost model; no prompts or responses are read. |
| anomaly_scanA | Surface cost and behavior anomalies: per-agent spend and per-session
tool-call-rate statistical outliers, for proactive runaway-agent detection. |
| drift_incidentsA | List open blueprint-drift incidents (observed runtime traffic outside the approved role blueprint). Each incident records the blueprint, drift score, and top violations so an
operator can reconcile the agent or blueprint and resolve it. |
| proxy_statusA | Return current MCP proxy metrics and alert summary, if a session is active. |
| proxy_alertsA | Return recent runtime proxy alerts without prompts, arguments, or responses. |
| gateway_statusA | Return gateway policy and inter-agent firewall runtime statistics. |
| shield_statusA | Return current Shield assessment for a session without changing enforcement state. |
| shield_startA | Start Shield enforcement for a session. Requires admin role, shield:write scope, and audit reason. |
| shield_unblockA | Unblock Shield enforcement for a session. Requires admin role, shield:write scope, and audit reason. |
| shield_break_glassA | Run Shield break-glass override. Requires admin role, shield:write scope, and audit reason. |
| identity_issueA | Issue a managed agent identity. Requires admin role, identity:write scope, and an audit reason. Returns the raw token once. |
| identity_rotateA | Rotate a managed identity, keeping the old token live during the overlap window. Requires admin role, identity:write scope, and an audit reason.
|
| identity_revokeA | Revoke a managed identity immediately. Requires admin role, identity:write scope, and an audit reason. |
| identity_grant_jitA | Grant an identity time-bound JIT access to one tool. Requires admin role, identity:write scope, and an audit reason. |
| identity_revoke_jitA | Revoke an active JIT grant immediately. Requires admin role, identity:write scope, and an audit reason. |
| firewall_checkA | Dry-run an inter-agent firewall decision without recording it to the control-plane tally. |
| audit_queryA | Read tenant-scoped control-plane audit records with filters and paging. Returns the immutable, hash-chained audit log of control-plane actions
(identity, shield, firewall, and policy changes) for one tenant, with
optional filtering by action, resource, and start time. Read-only: it
never mutates enforcement state.
Args:
tenant_id: Tenant scope to read (default control-plane tenant).
action: Optional audit action filter (exact match).
resource: Optional audit resource filter (exact match).
since: Optional ISO-8601 timestamp lower bound.
limit: Maximum audit records to return (1-1000).
offset: Pagination offset.
Returns:
JSON with the matched audit records (actor, action, resource,
timestamp, chain position) and pagination metadata.
Call this to review who changed what in the control plane; pair with
``audit_integrity`` to verify the chain has not been tampered with.
|
| audit_integrityA | Verify control-plane and runtime audit chain integrity. |
| cost_forecastA | Project LLM spend burn rate and budget runway for the active tenant. Derives a recent burn rate from persisted cost records and extrapolates
to the configured budget, returning projected period spend, days of
runway, and an exhaustion date. Reference only: a forecast never blocks a
call and returns a clear status with null projections on sparse history.
|
| cost_allocationA | Return chargeback / showback LLM spend rollups by cost-center and allocation tag. Spend is derived from token counts on ingested OpenTelemetry GenAI spans
priced via the open cost model. Includes per-cost-center allocation,
budget posture, and forecast. No prompts or responses are read. |
| credential_expiryA | Return expiring / overdue credential posture for control-plane secrets. Surfaces non-secret credential-expiry and rotation governance: which
secrets are near expiry, overdue for rotation, or past max age, with an
overall verdict. Never returns secret values.
|
| nhi_discoverA | Discover non-human identities (Okta service apps / Entra service principals). Read-only and reference-only: returns normalized identity metadata (id,
name, owner, created, credential expiry, scope references) — never secret
material. Each provider is gated by its own discovery env flag and token;
a disabled or unconfigured provider is reported in ``providers`` with a
clear status rather than failing the request.
|
| cloud_inventoryA | Summarize the estate-wide cloud asset inventory (resource + identity counts). Each provider is opt-in via its own ``AGENT_BOM_*_INVENTORY`` env flag and
credentials; a disabled or unconfigured provider returns a clear status
and contributes zero nodes. Returns resource/identity counts and a node
summary only — reference-only, never resource secrets.
|
| access_reviewA | List or get NHI access-review / recertification campaigns and their status. Read-only: pass ``campaign_id`` to fetch one campaign with its review
items, or omit it to list campaigns (overdue statuses refreshed).
Creating a campaign or submitting a reviewer decision is a write action
and is intentionally not exposed through this read-only tool.
|
| vector_db_scanA | Scan for running vector databases and assess their security posture. |
| aisvs_benchmarkA | Run AISVS v1.0 (AI Security Verification Standard) compliance checks. |
| gpu_infra_scanA | Discover GPU/AI compute infrastructure: containers, K8s nodes, and DCGM endpoints. |
| dataset_card_scanA | Scan a directory for ML dataset card metadata, provenance, and optionally PII/PHI content. |
| training_pipeline_scanA | Scan a directory for ML training pipeline lineage and provenance. |
| browser_extension_scanA | Scan installed browser extensions for dangerous permissions. |
| model_provenance_scanA | Check ML model provenance and supply chain metadata. |
| prompt_scanA | Scan prompt template files for prompt-injection and unsafe-interpolation risks. Walks the given directory for prompt assets (``.prompt`` files,
``system_prompt.*``, and ``prompts/`` directories), then statically
inspects each template for injection-prone patterns and unsafe variable
interpolation (untrusted input concatenated into instructions, missing
delimiters, tool/role-confusion phrasing).
Args:
directory: Directory path to scan for prompt template files.
Returns:
JSON with the scanned files, per-file findings (rule id, severity,
line, message), and a summary count by severity.
Use this before shipping or registering agent prompts to catch
injection exposure that package and CVE scans do not cover.
|
| model_file_scanA | Scan a directory for ML model files and assess serialization risks. |
| ai_inventory_scanA | Scan source code for AI component usage patterns. |
| license_compliance_scanA | Evaluate package licenses against an SPDX compliance policy. Takes packages (either a prior ``scan`` result JSON or an explicit array
of ``{name, version, ecosystem, license}`` objects) and classifies each
license as allowed, warn, or blocked. Normalizes 2,500+ SPDX IDs
(including deprecated identifiers) and flags network-copyleft licenses
(AGPL/SSPL/BUSL and similar).
Args:
scan_json: JSON of a previous scan result, or a JSON array of
package objects with license metadata.
policy_json: Optional JSON policy with ``license_block`` /
``license_warn`` glob lists. Falls back to the built-in policy
(block strong/network copyleft, warn weak copyleft) when empty.
Returns:
JSON with per-package license verdicts, the matched policy rule,
and counts of blocked / warned / allowed packages.
Call this in release or procurement gates to enforce license policy on
an agent's dependency set without running a full scan.
|
| ingest_external_scanA | Ingest Trivy, Grype, or Syft JSON scan output and return packages with blast radius analysis. |
