agent-bom registry

Verified

MCP server security registry and trust assessment — look up servers in the 427+ server security metadata registry, run pre-install marketplace checks, batch...

81 downloads

$ Add to .claude/skills/

$ openclaw install

About This Skill

# agent-bom-registry — MCP Server Trust & Security Registry

Look up MCP servers in the 427+ server security metadata registry, assess skill file trust, and run pre-install marketplace checks.

Install

```bash pipx install agent-bom agent-bom registry-lookup brave-search agent-bom marketplace-check @anthropic/server-filesystem ```

Tools (5)

| Tool | Description | |------|-------------| | `registry_lookup` | Look up MCP server in 427+ server security metadata registry | | `marketplace_check` | Pre-install trust check with registry cross-reference | | `fleet_scan` | Batch registry lookup + risk scoring for MCP server inventories | | `skill_trust` | Assess skill file trust level (5-category analysis) | | `code_scan` | SAST scanning via Semgrep with CWE-based compliance mapping |

Example Workflows

``` # Look up a server in the registry registry_lookup(server_name="brave-search")

# Pre-install trust check marketplace_check(package="@modelcontextprotocol/server-filesystem")

# Assess trust of a skill file skill_trust(skill_content="<paste SKILL.md content>")

# Batch risk scoring fleet_scan(servers=["brave-search", "github", "slack"]) ```

MCP Resources

| Resource | Description | |----------|-------------| | `registry://servers` | Browse 427+ MCP server security metadata registry |

Privacy & Data Handling

Registry data is bundled in the package — lookups are in-memory string matches with zero network calls. Skill trust analysis parses content passed as a string argument (no file system access needed).

Verification

Source: github.com/msaad00/agent-bom (Apache-2.0)
6,040+ tests with CodeQL + OpenSSF Scorecard
No telemetry: Zero tracking, zero analytics

Use Cases

Look up security metadata for MCP servers from a 427+ server registry
Assess trust level of skill files before installation
Run pre-install marketplace checks on MCP server packages
Query known vulnerabilities for specific MCP server implementations
Verify MCP server integrity against the security metadata database

Pros & Cons

Pros

+Large registry of 427+ MCP servers with pre-computed security metadata
+Provides 5 specialized lookup tools for different security assessment needs
+Installable via pipx for easy setup and isolation

Cons

-Registry coverage depends on community submissions — may miss newer servers
-Security metadata is point-in-time — may not reflect latest vulnerabilities
-Limited to MCP ecosystem — not applicable to other agent tool protocols

FAQ

What does agent-bom registry do?

MCP server security registry and trust assessment — look up servers in the 427+ server security metadata registry, run pre-install marketplace checks, batch...

What platforms support agent-bom registry?

agent-bom registry is available on Claude Code, OpenClaw.

What are the use cases for agent-bom registry?

Look up security metadata for MCP servers from a 427+ server registry. Assess trust level of skill files before installation. Run pre-install marketplace checks on MCP server packages.

100+ free AI tools

Writing, PDF, image, and developer tools — all in your browser.

AI Humanizer

Make AI text undetectable

AI Detector

Free, unlimited

PDF Tools

Merge, split, compress

Next Step

Use the skill detail page to evaluate fit and install steps. For a direct browser workflow, move into a focused tool route instead of staying in broader support surfaces.

Open Free Tools Try AI Detector