← Back to Skills Marketplace
msaad00

agent-bom registry

by Agent Bom · GitHub ↗ · v0.82.3 · MIT-0
darwinlinuxwindows ⚠ suspicious
744
Downloads
0
Stars
1
Active Installs
36
Versions
Install in OpenClaw
/install agent-bom-registry
Description
MCP server security registry and trust assessment — look up servers in the 427+ server security metadata registry, run pre-install marketplace checks, batch...
README (SKILL.md)

agent-bom-registry — MCP Server Trust & Security Registry

Look up MCP servers in the 427+ server security metadata registry, assess skill file trust, and run pre-install marketplace checks.

Install

pipx install agent-bom
agent-bom registry-lookup brave-search
agent-bom marketplace-check @anthropic/server-filesystem

Tools (7)

Tool Description
registry_lookup Look up MCP server in 427+ server security metadata registry
marketplace_check Pre-install trust check with registry cross-reference
fleet_scan Batch registry lookup + risk scoring for MCP server inventories
skill_scan Scan instruction files for package refs, trust, and findings
skill_verify Verify Sigstore provenance for instruction files
skill_trust Assess skill file trust level (5-category analysis)
code_scan SAST scanning via Semgrep with CWE-based compliance mapping

Example Workflows

# Look up a server in the registry
registry_lookup(server_name="brave-search")

# Pre-install trust check
marketplace_check(package="@modelcontextprotocol/server-filesystem")

# Scan instruction files and then assess a specific skill file
skill_scan(path=".")
skill_trust(skill_path="./SKILL.md")

# Batch risk scoring
fleet_scan(servers=["brave-search", "github", "slack"])

MCP Resources

Resource Description
registry://servers Browse 427+ MCP server security metadata registry

Privacy & Data Handling

Registry data is bundled in the package — lookups are in-memory string matches with zero network calls. Skill trust analysis parses content passed as a string argument (no file system access needed).

Verification

  • Source: github.com/msaad00/agent-bom (Apache-2.0)
  • 7,100+ tests with CodeQL + OpenSSF Scorecard
  • No telemetry: Zero tracking, zero analytics
Usage Guidance
This skill appears to do what it claims (local registry lookups and trust/SAST checks), but the documentation contradicts itself about reading local files and using networked enrichment. Before installing: (1) inspect the agent-bom package on PyPI or its GitHub source to confirm what files it reads and whether it makes network calls; (2) do not provide an optional SNYK_TOKEN unless you need Snyk integration and trust the package; (3) avoid running scans that target your entire repository (e.g., skill_scan(path='.') ) on sensitive data until you confirm exactly what the tool will read/transmit; (4) consider running the package in a sandbox or review its source code (or Sigstore provenance) before granting it access to local files.
Capability Analysis
Type: OpenClaw Skill Name: agent-bom-registry Version: 0.82.3 The agent-bom-registry skill is a security utility designed for assessing MCP (Model Context Protocol) servers and skill files. It provides tools for registry lookups, SAST scanning via Semgrep, and trust assessments (e.g., skill_trust, skill_verify). The documentation in SKILL.md and _meta.json is professional, emphasizes local execution, and contains no indicators of malicious intent, data exfiltration, or prompt injection. The only network endpoint mentioned is an optional, authenticated call to Snyk for vulnerability enrichment.
Capability Assessment
Purpose & Capability
Name/description (MCP server registry, trust assessment, SAST) matches the declared capabilities (registry_lookup, marketplace_check, code_scan). The packaged-registry claim and optional Semgrep/Snyk enrichment are coherent with the stated purpose.
Instruction Scope
The SKILL.md repeatedly states "no network calls needed" and that registry data is bundled and lookups are in-memory, but example commands include skill_scan(path='.') and skill_trust(skill_path='./SKILL.md') which imply reading local files and scanning arbitrary paths. The openclaw metadata both says "no file system access needed" and also lists file_reads: user-provided SKILL.md files — an internal contradiction. Additionally, code_scan and skill_verify (Sigstore provenance) may require outbound network access for enrichment or signature verification even if optional. These inconsistencies mean the skill could read more of the local filesystem or access network services than the top-level claims imply.
Install Mechanism
This is an instruction-only skill that points to installing a PyPI package (pipx/pip). No bundled install script or remote archive URLs are embedded in the skill bundle itself. Installing from PyPI is a normal mechanism, but you should review the actual PyPI package/source before trusting it.
Credentials
No required environment variables or credentials are declared; only an optional SNYK_TOKEN is listed for third-party vulnerability enrichment. Requesting an optional SNYK_TOKEN is proportionate to optional Snyk integration, but providing that token would enable network calls to api.snyk.io — only supply it if you trust the package and need the enrichment feature.
Persistence & Privilege
Metadata shows no persistence, no telemetry, always:false, and autonomous invocation restricted. The skill does not request persistent installation privileges or cross-skill configuration changes.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install agent-bom-registry
  3. After installation, invoke the skill by name or use /agent-bom-registry
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.82.3
Release v0.82.3
v0.82.2
Release v0.82.2
v0.81.3
Release v0.81.3
v0.81.1
Release v0.81.1
v0.81.0
Release v0.81.0
v0.80.1
Release v0.80.1
v0.78.1
Release v0.78.1
v0.76.4
Release v0.76.4
v0.76.2
Release v0.76.2
v0.76.1
Release v0.76.1
v0.76.0
Release v0.76.0
v0.75.15
Release v0.75.15
v0.75.14
Release v0.75.14
v0.75.13
Release v0.75.13
v0.75.11
Release v0.75.11
v0.75.10
Release v0.75.10
v0.75.9
Release v0.75.9
v0.75.8
Release v0.75.8
v0.75.7
Release v0.75.7
v0.75.6
Release v0.75.6
Metadata
Slug agent-bom-registry
Version 0.82.3
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 36
Frequently Asked Questions

What is agent-bom registry?

MCP server security registry and trust assessment — look up servers in the 427+ server security metadata registry, run pre-install marketplace checks, batch... It is an AI Agent Skill for Claude Code / OpenClaw, with 744 downloads so far.

How do I install agent-bom registry?

Run "/install agent-bom-registry" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is agent-bom registry free?

Yes, agent-bom registry is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does agent-bom registry support?

agent-bom registry is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux, windows).

Who created agent-bom registry?

It is built and maintained by Agent Bom (@msaad00); the current version is v0.82.3.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments