← 返回 Skills 市场
msaad00

agent-bom registry

作者 Agent Bom · GitHub ↗ · v0.82.3 · MIT-0
darwinlinuxwindows ⚠ suspicious
744
总下载
0
收藏
1
当前安装
36
版本数
在 OpenClaw 中安装
/install agent-bom-registry
功能描述
MCP server security registry and trust assessment — look up servers in the 427+ server security metadata registry, run pre-install marketplace checks, batch...
使用说明 (SKILL.md)

agent-bom-registry — MCP Server Trust & Security Registry

Look up MCP servers in the 427+ server security metadata registry, assess skill file trust, and run pre-install marketplace checks.

Install

pipx install agent-bom
agent-bom registry-lookup brave-search
agent-bom marketplace-check @anthropic/server-filesystem

Tools (7)

Tool Description
registry_lookup Look up MCP server in 427+ server security metadata registry
marketplace_check Pre-install trust check with registry cross-reference
fleet_scan Batch registry lookup + risk scoring for MCP server inventories
skill_scan Scan instruction files for package refs, trust, and findings
skill_verify Verify Sigstore provenance for instruction files
skill_trust Assess skill file trust level (5-category analysis)
code_scan SAST scanning via Semgrep with CWE-based compliance mapping

Example Workflows

# Look up a server in the registry
registry_lookup(server_name="brave-search")

# Pre-install trust check
marketplace_check(package="@modelcontextprotocol/server-filesystem")

# Scan instruction files and then assess a specific skill file
skill_scan(path=".")
skill_trust(skill_path="./SKILL.md")

# Batch risk scoring
fleet_scan(servers=["brave-search", "github", "slack"])

MCP Resources

Resource Description
registry://servers Browse 427+ MCP server security metadata registry

Privacy & Data Handling

Registry data is bundled in the package — lookups are in-memory string matches with zero network calls. Skill trust analysis parses content passed as a string argument (no file system access needed).

Verification

  • Source: github.com/msaad00/agent-bom (Apache-2.0)
  • 7,100+ tests with CodeQL + OpenSSF Scorecard
  • No telemetry: Zero tracking, zero analytics
安全使用建议
This skill appears to do what it claims (local registry lookups and trust/SAST checks), but the documentation contradicts itself about reading local files and using networked enrichment. Before installing: (1) inspect the agent-bom package on PyPI or its GitHub source to confirm what files it reads and whether it makes network calls; (2) do not provide an optional SNYK_TOKEN unless you need Snyk integration and trust the package; (3) avoid running scans that target your entire repository (e.g., skill_scan(path='.') ) on sensitive data until you confirm exactly what the tool will read/transmit; (4) consider running the package in a sandbox or review its source code (or Sigstore provenance) before granting it access to local files.
功能分析
Type: OpenClaw Skill Name: agent-bom-registry Version: 0.82.3 The agent-bom-registry skill is a security utility designed for assessing MCP (Model Context Protocol) servers and skill files. It provides tools for registry lookups, SAST scanning via Semgrep, and trust assessments (e.g., skill_trust, skill_verify). The documentation in SKILL.md and _meta.json is professional, emphasizes local execution, and contains no indicators of malicious intent, data exfiltration, or prompt injection. The only network endpoint mentioned is an optional, authenticated call to Snyk for vulnerability enrichment.
能力评估
Purpose & Capability
Name/description (MCP server registry, trust assessment, SAST) matches the declared capabilities (registry_lookup, marketplace_check, code_scan). The packaged-registry claim and optional Semgrep/Snyk enrichment are coherent with the stated purpose.
Instruction Scope
The SKILL.md repeatedly states "no network calls needed" and that registry data is bundled and lookups are in-memory, but example commands include skill_scan(path='.') and skill_trust(skill_path='./SKILL.md') which imply reading local files and scanning arbitrary paths. The openclaw metadata both says "no file system access needed" and also lists file_reads: user-provided SKILL.md files — an internal contradiction. Additionally, code_scan and skill_verify (Sigstore provenance) may require outbound network access for enrichment or signature verification even if optional. These inconsistencies mean the skill could read more of the local filesystem or access network services than the top-level claims imply.
Install Mechanism
This is an instruction-only skill that points to installing a PyPI package (pipx/pip). No bundled install script or remote archive URLs are embedded in the skill bundle itself. Installing from PyPI is a normal mechanism, but you should review the actual PyPI package/source before trusting it.
Credentials
No required environment variables or credentials are declared; only an optional SNYK_TOKEN is listed for third-party vulnerability enrichment. Requesting an optional SNYK_TOKEN is proportionate to optional Snyk integration, but providing that token would enable network calls to api.snyk.io — only supply it if you trust the package and need the enrichment feature.
Persistence & Privilege
Metadata shows no persistence, no telemetry, always:false, and autonomous invocation restricted. The skill does not request persistent installation privileges or cross-skill configuration changes.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install agent-bom-registry
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /agent-bom-registry 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.82.3
Release v0.82.3
v0.82.2
Release v0.82.2
v0.81.3
Release v0.81.3
v0.81.1
Release v0.81.1
v0.81.0
Release v0.81.0
v0.80.1
Release v0.80.1
v0.78.1
Release v0.78.1
v0.76.4
Release v0.76.4
v0.76.2
Release v0.76.2
v0.76.1
Release v0.76.1
v0.76.0
Release v0.76.0
v0.75.15
Release v0.75.15
v0.75.14
Release v0.75.14
v0.75.13
Release v0.75.13
v0.75.11
Release v0.75.11
v0.75.10
Release v0.75.10
v0.75.9
Release v0.75.9
v0.75.8
Release v0.75.8
v0.75.7
Release v0.75.7
v0.75.6
Release v0.75.6
元数据
Slug agent-bom-registry
版本 0.82.3
许可证 MIT-0
累计安装 1
当前安装数 1
历史版本数 36
常见问题

agent-bom registry 是什么?

MCP server security registry and trust assessment — look up servers in the 427+ server security metadata registry, run pre-install marketplace checks, batch... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 744 次。

如何安装 agent-bom registry?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install agent-bom-registry」即可一键安装,无需额外配置。

agent-bom registry 是免费的吗?

是的,agent-bom registry 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

agent-bom registry 支持哪些平台?

agent-bom registry 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux, windows)。

谁开发了 agent-bom registry?

由 Agent Bom(@msaad00)开发并维护,当前版本 v0.82.3。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论