| scan | Run a full AI supply chain security scan. Discovers local MCP configurations (Claude Desktop, Cursor, Windsurf,
VS Code Copilot, OpenClaw, etc.), extracts package dependencies, queries
OSV.dev for CVEs, assesses config security (credential exposure, tool access),
computes blast radius, and returns structured results.
Returns:
JSON with the complete AI-BOM report including agents, packages,
vulnerabilities, blast radius, and remediation guidance.
|
| check | Check a specific package for known CVEs before installing. Queries OSV.dev for vulnerabilities in the given package. Use this
before installing an MCP server or dependency to verify it is safe.
Args:
package: Package name with optional version, e.g. "express@4.18.2",
"@modelcontextprotocol/server-filesystem@2025.1.14",
or just "requests" (resolves @latest).
ecosystem: Package ecosystem — "npm", "pypi", "go", "cargo",
"maven", or "nuget". Defaults to "npm".
Returns:
JSON with package, version, ecosystem, vulnerability count,
and vulnerability details (id, severity, cvss, fix version, summary).
|
| blast_radius | Look up the blast radius of a specific CVE across your AI agent setup. Scans local MCP configurations, finds the specified CVE, and returns
the full attack chain: which packages are affected, which MCP servers
use those packages, which agents connect to those servers, and what
credentials and tools are exposed.
Args:
cve_id: The CVE identifier (e.g. "CVE-2024-1234" or "GHSA-xxxx").
Returns:
JSON with blast radius details including risk_score,
affected_servers, affected_agents, exposed_credentials, and
exposed_tools. Returns found=false if CVE not found.
|
| policy_check | Evaluate a security policy against current scan results. Runs a scan, then evaluates the provided policy rules against the
findings. Policies can gate on severity thresholds, CISA KEV status,
AI risk flags, credential exposure, and denied packages.
Args:
policy_json: JSON string containing policy rules. Example:
{"rules": [{"id": "no-critical", "severity_gte": "critical",
"action": "fail"}, {"id": "no-kev", "kev": true, "action": "fail"}]}
Returns:
JSON with passed (bool), violations list, failure_count, and
warning_count.
|
| registry_lookup | Query the agent-bom MCP server threat intelligence registry. Look up risk level, known tools, credential requirements, and
verification status for known MCP servers. The registry contains
109+ servers with security metadata.
Args:
server_name: MCP server name to look up (e.g. "filesystem",
"@modelcontextprotocol/server-github").
package_name: Package name to search for (e.g. "mcp-server-sqlite").
At least one of server_name or package_name is required.
Returns:
JSON with registry entry: risk_level, verified, tools,
credential_env_vars, risk_justification. Returns found=false
if not found.
|
| generate_sbom | Generate a Software Bill of Materials (SBOM) for your AI agent setup. Discovers AI agents and MCP servers, extracts all package dependencies,
and generates a standards-compliant SBOM.
Args:
format: SBOM format — "cyclonedx" (CycloneDX 1.6) or "spdx" (SPDX 3.0).
config_path: Path to a specific MCP config directory.
If not provided, auto-discovers all local agent configs.
Returns:
JSON string containing the SBOM in the requested format.
|
| compliance | Get OWASP LLM Top 10 / OWASP MCP Top 10 / MITRE ATLAS / NIST AI RMF compliance posture. Scans local MCP configurations, maps findings to 47 security controls
across four AI security frameworks, and returns per-control
pass/warning/fail status with an overall compliance score.
Args:
config_path: Path to a specific MCP config directory.
If not provided, auto-discovers all local agent configs.
image: Docker image reference to scan (e.g. "nginx:1.25").
Returns:
JSON with overall_score (0-100), overall_status (pass/warning/fail),
and per-control details for OWASP LLM Top 10 (10 controls),
OWASP MCP Top 10 (10 controls), MITRE ATLAS (13 techniques),
and NIST AI RMF (14 subcategories).
|
| remediate | Generate a remediation plan for vulnerabilities in your AI agent setup. Scans for vulnerabilities, then generates actionable fix commands for
each affected package (npm install, pip install), credential scope
reduction guidance, and reports on unfixable vulnerabilities.
Args:
config_path: Path to a specific MCP config directory.
If not provided, auto-discovers all local agent configs.
image: Docker image reference to scan (e.g. "nginx:1.25").
Returns:
JSON with package_fixes (upgrade commands by ecosystem),
credential_fixes (scope reduction steps), and unfixable items.
|
| skill_trust | Assess the trust level of a SKILL.md file using ClawHub-style categories. Parses a SKILL.md file, runs security audit checks, then evaluates
trust across 5 categories: Purpose & Capability, Instruction Scope,
Install Mechanism, Credentials, and Persistence & Privilege.
Returns an overall verdict (benign/suspicious/malicious) with
confidence level and actionable recommendations.
Args:
skill_path: Path to a SKILL.md file (or any skill/instruction file).
Returns:
JSON with verdict, confidence, per-category assessments, and
recommendations.
|
| verify | Verify package integrity and SLSA provenance against registries. Checks SHA-256/SRI hashes against npm/PyPI registries and looks up
SLSA build provenance attestations to confirm the package was built
from its claimed source repository.
Returns:
JSON with integrity verification (hash match, expected vs actual)
and provenance status (SLSA level, source repo, build trigger).
|
| where | Show all MCP discovery paths and which config files exist. Lists every known MCP client config path per platform, indicating
which files are present on the current system. Useful for debugging
discovery issues or understanding where MCP configs live.
Returns:
JSON with per-client config paths, existence status, and platform.
|
| inventory | List all discovered MCP configurations and servers without CVE scanning. Performs fast discovery and package extraction only — no vulnerability
scanning. Use this for a quick inventory of configs, servers, and packages.
Returns:
JSON with discovered agents, their MCP servers, packages, and
transport types.
|
| diff | Compare a fresh scan against a baseline to find new and resolved vulns. Runs a new scan, then diffs it against the provided baseline (or the
latest saved report). Shows new vulnerabilities, resolved ones, and
changes in the package inventory.
Returns:
JSON with new findings, resolved findings, new/removed packages,
and a human-readable summary.
|
| marketplace_check | Pre-install trust check for an MCP server package. Queries the package registry (npm or PyPI) for metadata and
cross-references against the agent-bom MCP threat intelligence registry.
Returns trust signals including download count, CVE status, and
registry verification.
Args:
package: Package name to check.
ecosystem: 'npm' or 'pypi'. Defaults to 'npm'.
Returns:
JSON with name, version, ecosystem, cve_count, download_count,
registry_verified, and trust_signals.
|
| code_scan | Run SAST (Static Application Security Testing) on source code via Semgrep. Scans for security flaws: SQL injection, XSS, command injection,
hardcoded credentials, insecure deserialization, path traversal, etc.
Returns findings with CWE classifications and severity levels.
Requires ``semgrep`` on PATH (``pip install semgrep``).
|
| context_graph | Build an agent context graph with lateral movement analysis. Models reachability between agents, servers, credentials, tools,
and vulnerabilities. Answers: "If agent X is compromised, what
else becomes reachable?"
Returns:
JSON with nodes, edges, lateral_paths, interaction_risks, and stats.
|
| analytics_query | Query vulnerability trends, posture history, and runtime event summaries from ClickHouse. Requires AGENT_BOM_CLICKHOUSE_URL to be set. Returns empty results if
ClickHouse is not configured.
|
| cis_benchmark | Run CIS benchmark checks against a cloud account. Evaluates security posture against CIS Foundations Benchmarks:
- AWS Foundations v3.0: 18 checks (IAM, Storage, Logging, Networking)
- Snowflake v1.0: 12 checks (Auth, Network, Data Protection, Monitoring, Access Control)
All checks are read-only. Requires appropriate credentials (AWS or Snowflake).
Returns:
JSON with per-check pass/fail results, evidence, severity, and pass rate.
|
| fleet_scan | Batch-scan a list of MCP server names against the security metadata registry. Designed for fleet inventory data (CrowdStrike, SIEM, CSV exports) where
you have server names but not versions. Returns per-server risk assessment
with registry match status, risk category, tools, credentials, known CVEs,
and a verdict (known-high-risk, known-medium, known-low, unknown-unvetted).
Risk levels are category-derived (filesystem=high, database=medium,
search=low), not made-up threat scores. Every field is traceable to a source.
Returns:
JSON with summary (total, matched, unmatched, risk breakdown)
and per-server details.
|
| runtime_correlate | Cross-reference vulnerability scan results with proxy runtime audit logs. Identifies which vulnerable tools were ACTUALLY CALLED in production,
distinguishing confirmed attack surface from theoretical risk. Produces
risk-amplified findings: a vulnerable tool that was called 100 times is
higher priority than one never invoked.
Requires a proxy audit log (generated by running agent-bom proxy with
the --log flag). Without an audit log, returns scan results only.
Returns:
JSON with correlated findings (CVE + tool call data + amplified risk),
summary stats, and uncalled vulnerable tools.
|
