agent-bom-scan

Security scanner for AI infrastructure — discovers MCP clients and servers, checks packages for CVEs (OSV, NVD, EPSS, KEV), maps blast radius, and generates remediation plans. Use when the user mentions vulnerability scanning, dependency security, CVE lookup, blast radius analysis, or AI supply chain risk.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "agent-bom-scan" with this command: npx skills add msaad00/agent-bom-scan

agent-bom-scan — AI Supply Chain Vulnerability Scanner

Discovers MCP clients and servers across 22 AI tools, checks packages for CVEs, maps blast radius, and generates remediation plans.

Install

pipx install agent-bom
agent-bom scan              # auto-discover + scan
agent-bom check langchain   # check a specific package
agent-bom where             # show all discovery paths

As an MCP Server

{
  "mcpServers": {
    "agent-bom": {
      "command": "uvx",
      "args": ["agent-bom", "mcp"]
    }
  }
}

Tools (8)

ToolDescription
scanFull discovery + vulnerability scan pipeline
checkCheck a package for CVEs (OSV, NVD, EPSS, KEV)
blast_radiusMap CVE impact chain across agents, servers, credentials
remediatePrioritized remediation plan for vulnerabilities
verifyPackage integrity + SLSA provenance check
diffCompare two scan reports (new/resolved/persistent)
whereShow MCP client config discovery paths
inventoryList discovered agents, servers, packages

Example Workflows

# Check a package before installing
check(package="@modelcontextprotocol/server-filesystem", ecosystem="npm")

# Map blast radius of a CVE
blast_radius(cve_id="CVE-2024-21538")

# Full scan
scan()

Privacy & Data Handling

This skill installs agent-bom from PyPI. Verify the redaction behavior before running with any config files:

# Step 1: Install
pip install agent-bom

# Step 2: Review redaction logic BEFORE scanning
# sanitize_env_vars() replaces ALL env var values with ***REDACTED***
# BEFORE any config data is processed or stored:
# https://github.com/msaad00/agent-bom/blob/main/src/agent_bom/security.py#L159

# Step 3: Review config parsing — only structural data extracted:
# https://github.com/msaad00/agent-bom/blob/main/src/agent_bom/discovery/__init__.py

# Step 4: Verify package provenance (Sigstore)
agent-bom verify agent-bom

# Step 5: Only then run scans
agent-bom scan

What is extracted: Server names, commands, args, and URLs from MCP client config files across 22 AI tools. What is NOT extracted: Env var values are replaced with ***REDACTED*** by sanitize_env_vars() before any processing. Only public package names and CVE IDs are sent to vulnerability databases.

Verification

  • Source: github.com/msaad00/agent-bom (Apache-2.0)
  • Sigstore signed: `agent-bom verify agent-bom@0.71.0
  • 6,040+ tests with CodeQL + OpenSSF Scorecard
  • No telemetry: Zero tracking, zero analytics

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Ring Security

Monitor and manage Ring doorbells and security cameras. Query device status, review motion events, manage modes, and export event history. Use when you need...

Registry SourceRecently Updated
1780Profile unavailable
Security

Moses Governance Single

MO§ES™ Governance — Single-agent constitutional control. Enforces behavioral modes, posture controls, role awareness, and SHA-256 chained audit trail in one...

Registry SourceRecently Updated
830Profile unavailable
Security

Moses Audit

MO§ES™ Audit Trail — SHA-256 chained append-only governance ledger. Every agent appends before final response. Provides moses_log_action and moses_verify_cha...

Registry SourceRecently Updated
870Profile unavailable
Security

Sop Writer

SOP标准操作流程编写工具。创建SOP、流程图、检查清单、审核评估、模板库、培训材料。SOP writer with create, flowchart, checklist, audit, template, and training materials. Use when you need sop write...

Registry SourceRecently Updated
1610Profile unavailable