← Back to Skills Marketplace
msaad00

agent-bom runtime

by Agent Bom · GitHub ↗ · v0.82.3 · MIT-0
darwinlinuxwindows ⚠ suspicious
755
Downloads
0
Stars
1
Active Installs
35
Versions
Install in OpenClaw
/install agent-bom-runtime
Description
AI runtime security monitoring — context graph analysis, runtime audit log correlation with CVE findings, and vulnerability analytics queries. Use when the u...
README (SKILL.md)

agent-bom-runtime — AI Runtime Security Monitoring

Context graph analysis, runtime audit log correlation with CVE findings, and vulnerability analytics queries.

Install

pipx install agent-bom

Tools (3)

Tool Description
context_graph Agent context graph with lateral movement analysis
analytics_query Query vulnerability trends, posture history, and runtime events
runtime_correlate Cross-reference runtime audit logs with CVE findings

Example Workflows

# Build context graph from scan results
context_graph()

# Correlate runtime audit with CVE data
runtime_correlate(audit_file="proxy-audit.jsonl")

# Query analytics
analytics_query(query="top_cves", days=30)

Privacy & Data Handling

Operates on scan results already in memory and user-provided audit log files. No automatic file discovery. No network calls unless you configure an optional ClickHouse endpoint for persistent analytics.

Verification

  • Source: github.com/msaad00/agent-bom (Apache-2.0)
  • 7,100+ tests with CodeQL + OpenSSF Scorecard
  • No telemetry: Zero tracking, zero analytics
Usage Guidance
This SKILL.md reads like documentation for an external Python package rather than a self-contained skill. Before installing or enabling it: 1) Inspect the referenced PyPI/GitHub package (https://github.com/msaad00/agent-bom and PyPI page) to verify source code, release artifacts, and what env vars it actually uses (especially ClickHouse and kubectl integrations). 2) Confirm how the agent will obtain the package—automatic pip installs run arbitrary package code at install time; prefer installing into an isolated environment (pipx or a virtualenv) and reviewing package contents first. 3) If you plan to provide audit logs or a ClickHouse endpoint, make sure credentials are scoped and stored safely (do not expose cluster-wide kubeconfigs or broad DB credentials). 4) Ask the skill author (or check repo) for explicit env var names and a clear install manifest; if those are added (or the skill bundles its implementation), reassess. Given the current mismatch between claimed tools and the lack of bundled code/install spec, proceed cautiously.
Capability Analysis
Type: OpenClaw Skill Name: agent-bom-runtime Version: 0.82.3 The skill bundle contains metadata and documentation for 'agent-bom-runtime', a tool designed for AI runtime security monitoring and audit log correlation. The SKILL.md file describes legitimate security analysis functions (context graphs, CVE correlation) and explicitly outlines a privacy-conscious data flow with no telemetry or unauthorized network access. No malicious instructions, prompt injection attempts, or suspicious obfuscation were found in the provided documentation.
Capability Assessment
Purpose & Capability
The name/description (runtime security monitoring, context graphs, audit correlation) aligns with the declared capabilities. However, the SKILL.md repeatedly references an external Python package (agent-bom) and callable tools (context_graph, runtime_correlate, analytics_query) while the registry entry provides no code files and no install spec—so the skill is only documentation describing capabilities that depend on an external package.
Instruction Scope
Instructions say the tool operates only on in-memory scan results and user-provided audit log files (JSONL) and claims 'no automatic file discovery' which is good. But the SKILL.md also instructs installing the agent-bom package via pipx/pip and shows function-like invocations (context_graph(), runtime_correlate(...)). Because there is no bundled implementation, it's unclear whether the agent is expected to import/run external code, install packages, or simply follow high-level guidance. The agent could attempt network installs or run code not present in the skill, which expands the runtime scope beyond the skill's contents.
Install Mechanism
There is no formal install spec; the document suggests installing via pipx or pip (and lists a PyPI URL). That is a legitimate, common pattern, but the registry lacks an automated install entry. This mismatch means the agent or user must perform an installation step outside the skill—if done automatically it would fetch code from PyPI/GitHub (network download). The absence of an explicit install manifest in the skill is an integrity/traceability gap.
Credentials
The skill declares 'Zero credentials required' and lists no required env vars, which is consistent with the description. However, it refers to an optional ClickHouse endpoint and optional kubectl usage without declaring the env var names or how credentials would be supplied. That omission makes it unclear what secrets (ClickHouse URL, DB creds, kubeconfig access) the package might request when actually installed and configured.
Persistence & Privilege
Skill metadata shows always: false and autonomous_invocation restricted. The skill declares no persistence, no telemetry, and no privilege escalation. There's no indication it would demand permanent presence or system-wide configuration changes.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install agent-bom-runtime
  3. After installation, invoke the skill by name or use /agent-bom-runtime
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.82.3
Release v0.82.3
v0.82.2
Release v0.82.2
v0.81.3
Release v0.81.3
v0.81.1
Release v0.81.1
v0.81.0
Release v0.81.0
v0.80.1
Release v0.80.1
v0.78.1
Release v0.78.1
v0.76.4
Release v0.76.4
v0.76.2
Release v0.76.2
v0.76.1
Release v0.76.1
v0.76.0
Release v0.76.0
v0.75.15
Release v0.75.15
v0.75.14
Release v0.75.14
v0.75.13
Release v0.75.13
v0.75.11
Release v0.75.11
v0.75.10
Release v0.75.10
v0.75.9
Release v0.75.9
v0.75.8
Release v0.75.8
v0.75.7
Release v0.75.7
v0.75.6
Release v0.75.6
Metadata
Slug agent-bom-runtime
Version 0.82.3
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 35
Frequently Asked Questions

What is agent-bom runtime?

AI runtime security monitoring — context graph analysis, runtime audit log correlation with CVE findings, and vulnerability analytics queries. Use when the u... It is an AI Agent Skill for Claude Code / OpenClaw, with 755 downloads so far.

How do I install agent-bom runtime?

Run "/install agent-bom-runtime" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is agent-bom runtime free?

Yes, agent-bom runtime is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does agent-bom runtime support?

agent-bom runtime is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux, windows).

Who created agent-bom runtime?

It is built and maintained by Agent Bom (@msaad00); the current version is v0.82.3.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments