agent-bom-ingest

Validate and ingest operator-pushed agent-bom inventory JSON from AWS, Azure, GCP, Snowflake, CMDB, or endpoint collectors. Use when a user has canonical inventory JSON and wants local findings, graph, policy, provenance, or auditor-ready exports without giving agent-bom direct cloud credentials.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "agent-bom-ingest" with this command: npx skills add msaad00/agent-bom-ingest

agent-bom-ingest

Use this skill when the operator already produced canonical inventory JSON with an operator-pull adapter, endpoint collector, CMDB export, or AI-agent workflow. The default path is local validation plus local scan/export.

Guardrails

  • Validate inventory with the packaged schema before treating it as evidence.
  • Require discovery_provenance and permissions_used where the source claims cloud/operator-pushed discovery.
  • Require a trustworthy discovery_provenance.source_type such as operator_pushed_inventory or skill_invoked_pull; do not infer it from prose.
  • Do not invent provenance, permissions, cloud scopes, or credential posture.
  • Do not push to a control plane unless the operator provides the destination URL and auth method explicitly.
  • Do not print raw tokens, URL credentials, private keys, or env var values.

Workflow

Validate first:

agent-bom inventory validate inventory.json

Scan locally:

agent-bom agents --inventory inventory.json --format json --output agent-bom-findings.json

Choose output by consumer:

  • SARIF for CI/code-scanning gates
  • JSON for graph, API, and automation
  • HTML or Markdown for human review
  • CycloneDX/SPDX for SBOM consumers

Evidence Contract

Valid inventory preserves discovery_provenance, permissions_used, cloud_origin, redaction state, package identity, server identity, tools, and security intelligence. If the inventory is malformed or missing required trust fields, stop and ask the operator to regenerate it rather than scanning a best-effort summary.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Automation

Speechace

Speechace integration. Manage data, records, and automate workflows. Use when the user wants to interact with Speechace data.

Registry SourceRecently Updated
2550gora050
Automation

Boloforms

Boloforms integration. Manage data, records, and automate workflows. Use when the user wants to interact with Boloforms data.

Registry SourceRecently Updated
2450gora050
Automation

Algorithmia

Algorithmia integration. Manage data, records, and automate workflows. Use when the user wants to interact with Algorithmia data.

Registry SourceRecently Updated
1980gora050
Automation

Cdr Platform

CDR Platform integration. Manage data, records, and automate workflows. Use when the user wants to interact with CDR Platform data.

Registry SourceRecently Updated
2310gora050