| scanA | Run a full AI supply chain security scan. Discovers local MCP configurations (Claude Desktop, Cursor, Windsurf,
VS Code Copilot, OpenClaw, etc.), extracts package dependencies, queries
OSV.dev for CVEs, assesses config security (credential exposure, tool access),
computes blast radius, and returns structured results.
Returns:
JSON with the complete AI-BOM report including agents, packages,
vulnerabilities, blast radius, and remediation guidance.
|
| checkA | Check a specific package for known CVEs before installing. Queries OSV.dev for vulnerabilities in the given package. Use this
before installing an MCP server or dependency to verify it is safe.
Args:
package: Package name with optional version, e.g. "express@4.18.2",
"@modelcontextprotocol/server-filesystem@2025.1.14",
or just "requests" (resolves @latest).
ecosystem: Package ecosystem — "npm", "pypi", "go", "cargo",
"maven", "nuget", "rubygems", "composer", "swift",
"pub", "hex", "conda", "deb", "apk", or "rpm".
Defaults to "npm".
Returns:
JSON with package, version, ecosystem, vulnerability count,
and vulnerability details (id, severity, cvss, fix version, summary).
|
| blast_radiusA | Look up the blast radius of a specific CVE across your AI agent setup. Scans local MCP configurations, finds the specified CVE, and returns
the full attack chain: which packages are affected, which MCP servers
use those packages, which agents connect to those servers, and what
credentials and tools are exposed.
Args:
cve_id: The CVE identifier (e.g. "CVE-2024-1234" or "GHSA-xxxx").
Returns:
JSON with blast radius details including risk_score,
affected_servers, affected_agents, exposed_credentials, and
exposed_tools. Returns found=false if CVE not found.
|
| policy_checkA | Evaluate a security policy against current scan results. Runs a scan, then evaluates the provided policy rules against the
findings. Policies can gate on severity thresholds, CISA KEV status,
AI risk flags, credential exposure, and denied packages.
Args:
policy_json: JSON string containing policy rules. Example:
{"rules": [{"id": "no-critical", "severity_gte": "critical",
"action": "fail"}, {"id": "no-kev", "kev": true, "action": "fail"}]}
Returns:
JSON with passed (bool), violations list, failure_count, and
warning_count.
|
| registry_lookupA | Query the agent-bom MCP server threat intelligence registry. Look up risk level, known tools, credential requirements, and
verification status for known MCP servers. The registry contains
109+ servers with security metadata.
Args:
server_name: MCP server name to look up (e.g. "filesystem",
"@modelcontextprotocol/server-github").
package_name: Package name to search for (e.g. "mcp-server-sqlite").
At least one of server_name or package_name is required.
Returns:
JSON with registry entry: risk_level, verified, tools,
credential_env_vars, risk_justification. Returns found=false
if not found.
|
| generate_sbomA | Generate a Software Bill of Materials (SBOM) for your AI agent setup. Discovers AI agents and MCP servers, extracts all package dependencies,
and generates a standards-compliant SBOM.
Args:
format: SBOM format — "cyclonedx" (CycloneDX 1.6) or "spdx" (SPDX 3.0).
config_path: Path to a specific MCP config directory.
If not provided, auto-discovers all local agent configs.
Returns:
JSON string containing the SBOM in the requested format.
|
| complianceA | Get OWASP LLM Top 10 / OWASP MCP Top 10 / MITRE ATLAS / NIST AI RMF compliance posture. Scans local MCP configurations, maps findings to 47 security controls
across four AI security frameworks, and returns per-control
pass/warning/fail status with an overall compliance score.
Args:
config_path: Path to a specific MCP config directory.
If not provided, auto-discovers all local agent configs.
image: Docker image reference to scan (e.g. "nginx:1.25").
Returns:
JSON with overall_score (0-100), overall_status (pass/warning/fail),
and per-control details for OWASP LLM Top 10 (10 controls),
OWASP MCP Top 10 (10 controls), MITRE ATLAS (13 techniques),
and NIST AI RMF (14 subcategories).
|
| remediateA | Generate a remediation plan for vulnerabilities in your AI agent setup. Scans for vulnerabilities, then generates actionable fix commands for
each affected package (npm install, pip install), credential scope
reduction guidance, and reports on unfixable vulnerabilities.
Args:
config_path: Path to a specific MCP config directory.
If not provided, auto-discovers all local agent configs.
image: Docker image reference to scan (e.g. "nginx:1.25").
Returns:
JSON with package_fixes (upgrade commands by ecosystem),
credential_fixes (scope reduction steps), and unfixable items.
|
| verifyA | Verify package integrity and SLSA provenance against registries. Checks SHA-256/SRI hashes against npm/PyPI registries and looks up
SLSA build provenance attestations to confirm the package was built
from its claimed source repository.
Returns:
JSON with integrity verification (hash match, expected vs actual)
and provenance status (SLSA level, source repo, build trigger).
|
| skill_scanA | Scan skill and instruction files for trust, findings, and provenance. |
| skill_verifyA | Verify Sigstore provenance for skill and instruction files. |
| skill_trustA | Assess the trust level of a SKILL.md file using ClawHub-style categories. |
| whereA | Show all MCP discovery paths and which config files exist. |
| inventoryA | List all discovered MCP configurations and servers without CVE scanning. |
| tool_risk_assessmentA | Score live-introspected MCP tool capabilities and server risk. |
| diffA | Compare a fresh scan against a baseline to find new and resolved vulns. Runs a new scan, then diffs it against the provided baseline (or the
latest saved report). Shows new vulnerabilities, resolved ones, and
changes in the package inventory.
Returns:
JSON with new findings, resolved findings, new/removed packages,
and a human-readable summary.
|
| marketplace_checkA | Pre-install trust check for an MCP server package. Queries the package registry (npm or PyPI) for metadata and
cross-references against the agent-bom MCP threat intelligence registry.
Returns trust signals including download count, CVE status, and
registry verification.
Args:
package: Package name to check.
ecosystem: 'npm' or 'pypi'. Defaults to 'npm'.
Returns:
JSON with name, version, ecosystem, cve_count, download_count,
registry_verified, and trust_signals.
|
| code_scanA | Run SAST (Static Application Security Testing) on source code via Semgrep. Scans for security flaws: SQL injection, XSS, command injection,
hardcoded credentials, insecure deserialization, path traversal, etc.
Returns findings with CWE classifications and severity levels.
Requires ``semgrep`` on PATH (``pip install semgrep``).
|
| context_graphA | Build an agent context graph with lateral movement analysis. Models reachability between agents, servers, credentials, tools,
and vulnerabilities. Answers: "If agent X is compromised, what
else becomes reachable?"
Returns:
JSON with nodes, edges, lateral_paths, interaction_risks, and stats.
|
| graph_exportA | Export the agent dependency graph in graph-native formats. Formats:
- **graphml** — yEd, Gephi, NetworkX compatible with AIBOM-typed attributes
- **cypher** — Neo4j import script with AIBOM node labels (AIAgent, MCPServer, Package, Vulnerability)
- **dot** — Graphviz (pipe through ``dot -Tsvg``)
- **mermaid** — embed in markdown, GitHub, Notion
- **json** — machine-readable nodes/edges list
Returns:
Graph in the requested format as a string.
|
| analytics_queryA | Query vulnerability trends, posture history, and runtime event summaries from ClickHouse. Requires AGENT_BOM_CLICKHOUSE_URL to be set. Returns empty results if
ClickHouse is not configured.
|
| cis_benchmarkA | Run CIS benchmark checks against a cloud account. Evaluates security posture against CIS Foundations Benchmarks:
- AWS Foundations v3.0: 18 checks (IAM, Storage, Logging, Networking)
- Snowflake v1.0: 12 checks (Auth, Network, Data Protection, Monitoring, Access Control)
- Azure Security Benchmark v3.0: 10 checks (IAM, Storage, Logging, Networking, Key Vault)
- GCP Foundation v3.0: 8 checks (IAM, Logging, Networking, Storage)
All checks are read-only. Failed checks include MITRE ATT&CK Enterprise technique mappings.
Requires appropriate credentials for the chosen provider.
Returns:
JSON with per-check pass/fail results, evidence, severity, ATT&CK techniques, and pass rate.
|
| fleet_scanA | Batch-scan a list of MCP server names against the security metadata registry. Designed for fleet inventory data (EDR, SIEM, CSV exports) where
you have server names but not versions. Returns per-server risk assessment
with registry match status, risk category, tools, credentials, known CVEs,
and a verdict (known-high-risk, known-medium, known-low, unknown-unvetted).
Risk levels are category-derived (filesystem=high, database=medium,
search=low), not made-up threat scores. Every field is traceable to a source.
Returns:
JSON with summary (total, matched, unmatched, risk breakdown)
and per-server details.
|
| runtime_correlateA | Cross-reference vulnerability scan results with proxy runtime audit logs. Identifies which vulnerable tools were ACTUALLY CALLED in production,
distinguishing confirmed attack surface from theoretical risk. Produces
risk-amplified findings: a vulnerable tool that was called 100 times is
higher priority than one never invoked.
Also accepts an OTel trace file (``otel_trace``) to extract ML API call
provenance: which models were called, token usage, and deprecation advisories.
Requires a proxy audit log (generated by running agent-bom proxy with
the --log flag). Without an audit log, returns scan results only.
Returns:
JSON with correlated findings (CVE + tool call data + amplified risk),
summary stats, uncalled vulnerable tools, and ml_api_calls provenance.
|
| vector_db_scanA | Scan for running vector databases and assess their security posture. |
| aisvs_benchmarkA | Run AISVS v1.0 (AI Security Verification Standard) compliance checks. |
| gpu_infra_scanB | Discover GPU/AI compute infrastructure: containers, K8s nodes, and DCGM endpoints. |
| dataset_card_scanA | Scan a directory for ML dataset card metadata, provenance, and optionally PII/PHI content. |
| training_pipeline_scanB | Scan a directory for ML training pipeline lineage and provenance. |
| browser_extension_scanA | Scan installed browser extensions for dangerous permissions. |
| model_provenance_scanB | Check ML model provenance and supply chain metadata. |
| prompt_scanA | Scan prompt template files for injection risks and security issues. |
| model_file_scanA | Scan a directory for ML model files and assess serialization risks. |
| ai_inventory_scanB | Scan source code for AI component usage patterns. |
| license_compliance_scanC | Evaluate package licenses against compliance policy. |
| ingest_external_scanA | Ingest Trivy, Grype, or Syft JSON scan output and return packages with blast radius analysis. |
