agent-bom-registry — MCP Server Trust & Security Registry
Look up MCP servers in the 427+ server security metadata registry, assess skill file trust, and run pre-install marketplace checks.
Install
pipx install agent-bom
agent-bom registry-lookup brave-search
agent-bom marketplace-check @anthropic/server-filesystem
Tools (7)
| Tool | Description |
|---|---|
registry_lookup | Look up MCP server in 427+ server security metadata registry |
marketplace_check | Pre-install trust check with registry cross-reference |
fleet_scan | Batch registry lookup + risk scoring for MCP server inventories |
skill_scan | Scan instruction files for package refs, trust, and findings |
skill_verify | Verify Sigstore provenance for instruction files |
skill_trust | Assess skill file trust level (5-category analysis) |
code_scan | SAST scanning via Semgrep with CWE-based compliance mapping |
Example Workflows
# Look up a server in the registry
registry_lookup(server_name="brave-search")
# Pre-install trust check
marketplace_check(package="@modelcontextprotocol/server-filesystem")
# Scan instruction files and then assess a specific skill file
skill_scan(path=".")
skill_trust(skill_path="./SKILL.md")
# Batch risk scoring
fleet_scan(servers=["brave-search", "github", "slack"])
MCP Resources
| Resource | Description |
|---|---|
registry://servers | Browse 427+ MCP server security metadata registry |
Privacy & Data Handling
Registry data is bundled in the package — lookups are in-memory string matches with zero network calls. Skill trust analysis parses content passed as a string argument (no file system access needed).
Verification
- Source: github.com/msaad00/agent-bom (Apache-2.0)
- 7,100+ tests with CodeQL + OpenSSF Scorecard
- No telemetry: Zero tracking, zero analytics