agent-bom — AI Agent Infrastructure Security Scanner

Discovers MCP clients and servers across 22 AI tools, scans for CVEs, maps
blast radius, runs cloud CIS benchmarks, checks OWASP/NIST/MITRE compliance,
generates SBOMs, and assesses AI infrastructure against AISVS v1.0 and MAESTRO
framework layers.

Install

CODEBLOCK0

As an MCP Server

CODEBLOCK1

Sub-Skills (8)

Sub-Skill	Purpose	Triggers
discover	Find agents, MCP servers, configurations	"find agents", "what's configured", "mcp inventory"
scan

CVE scanning, image scanning, SBOM, provenance | "check package", "scan image", "verify", "blast radius" | | scan-infra | IaC, cloud config, secrets scanning | "check terraform", "scan kubernetes", "find secrets" | | enforce | Runtime policy enforcement, MCP proxy | "block risky calls", "apply policy", "proxy" | | compliance | 14-framework compliance, SBOM generation | "compliance report", "NIST", "SOC 2", "OWASP" | | monitor | Fleet monitoring, trust scores, lifecycle | "fleet", "watch agents", "trust scores" | | analyze | Blast radius, attack paths, context graph | "blast radius", "threat intel", "attack path" | | troubleshoot | Diagnostics, doctor, config validation | "doctor", "debug", "why failing", "validate config" |

Tools

Vulnerability Scanning

Tool	Description
INLINECODE0	Full discovery + vulnerability scan pipeline
INLINECODE1

Check a package for CVEs (OSV, NVD, EPSS, KEV) |

| blast_radius | Map CVE impact chain across agents, servers, credentials | | remediate | Prioritized remediation plan for vulnerabilities | | verify | Package integrity + SLSA provenance check | | diff | Compare two scan reports (new/resolved/persistent) | | where | Show MCP client config discovery paths | | inventory | List discovered agents, servers, packages |

Compliance & Policy

Tool	Description
INLINECODE8	OWASP LLM/Agentic Top 10, EU AI Act, MITRE ATLAS, NIST AI RMF
INLINECODE9

Evaluate results against custom security policy (17 conditions) |

| cis_benchmark | CIS benchmark checks (AWS, Azure v3.0, GCP v3.0, Snowflake) | | generate_sbom | Generate SBOM (CycloneDX or SPDX format) | | aisvs_benchmark | OWASP AISVS v1.0 compliance — 9 AI security checks |

Registry & Trust

Tool	Description
INLINECODE13	Look up MCP server in 427+ server security metadata registry
INLINECODE14

Pre-install trust check with registry cross-reference |

| fleet_scan | Batch registry lookup + risk scoring for MCP server inventories | | skill_scan | Scan instruction files for package refs, trust, and findings | | skill_verify | Verify Sigstore provenance for instruction files | | skill_trust | Assess skill file trust level (5-category analysis) | | code_scan | SAST scanning via Semgrep with CWE-based compliance mapping |

Runtime & Analytics

Tool	Description
INLINECODE20	Agent context graph with lateral movement analysis
INLINECODE21

Query vulnerability trends, posture history, and runtime events |

| runtime_correlate | Cross-reference proxy audit JSONL with CVE findings, risk amplification | | vector_db_scan | Probe Qdrant/Weaviate/Chroma/Milvus for auth and exposure | | gpu_infra_scan | GPU container and K8s node inventory + unauthenticated DCGM probe (MAESTRO KC6) |

Specialized Scans

Tool	Description
INLINECODE25	Scan dataset cards for bias, licensing, and provenance issues
INLINECODE26

Scan training pipeline configs for security risks |

| browser_extension_scan | Scan browser extensions for risky permissions and AI domain access | | model_provenance_scan | Verify model provenance and supply chain integrity | | prompt_scan | Scan prompt templates for injection and data leakage risks | | model_file_scan | Scan model files for unsafe serialization (pickle, etc.) | | license_compliance_scan | Full SPDX license catalog scan with copyleft and network-copyleft detection | | ingest_external_scan | Import external scan results (CycloneDX/SPDX/JSON) and merge into agent-bom findings |

Resources

Resource	Description
INLINECODE33	Browse 427+ MCP server security metadata registry

Example Workflows

CODEBLOCK2

Guardrails

Always do:

• - Show CVEs even when NVD analysis is pending or severity is unknown — a CVE ID with no details is still a real finding. Report what is known; mark severity as unknown explicitly.
• Confirm with the user before scanning cloud environments (cis_benchmark) — these make live API calls to AWS/Azure/GCP using the user's credentials.
• Treat UNKNOWN severity as unresolved, not benign — it means data is not yet available, not that the issue is minor.

Never do:

• - Do not modify any files, install packages, or change system configuration. This skill is read-only.
• Do not transmit env var values, credentials, or file contents to any external service. Only package names and CVE IDs leave the machine.
• Do not invoke agents() autonomously on sensitive environments without user confirmation. The autonomous_invocation policy is restricted.

Stop and ask the user when:

• - The user requests a cloud CIS benchmark and no cloud credentials are configured.
• A scan finds CRITICAL CVEs — present findings and ask whether to generate a remediation plan.
• The user asks to scan a path outside their home directory.

Supported Frameworks (14)

• - OWASP LLM Top 10 (2025) — prompt injection, supply chain, data leakage
• OWASP MCP Top 10 — MCP-specific security risks
• OWASP Agentic Top 10 — tool poisoning, rug pulls, credential theft
• OWASP AISVS v1.0 — AI Security Verification Standard (9 checks)
• MITRE ATLAS — adversarial ML threat framework
• NIST AI RMF — govern, map, measure, manage lifecycle
• NIST CSF 2.0 — identify, protect, detect, respond, recover
• NIST 800-53 Rev 5 — federal security controls (CM-8, RA-5, SI-2, SR-3)
• FedRAMP Moderate — derived from NIST 800-53 controls
• EU AI Act — risk classification, transparency, SBOM requirements
• ISO 27001:2022 — information security controls (Annex A)
• SOC 2 — Trust Services Criteria
• CIS Controls v8 — implementation groups IG1/IG2/IG3
• CMMC 2.0 — cybersecurity maturity model (Level 1-3)

Privacy & Data Handling

This skill installs agent-bom from PyPI. Verify the redaction behavior
before running with any config files:

CODEBLOCK3

What is extracted: Server names, commands, args, and URLs from MCP client
config files across 22 AI tools. What is NOT extracted: Env var values are
replaced with ***REDACTED*** by sanitize_env_vars() before any processing.
Only public package names and CVE IDs are sent to vulnerability databases.
Cloud CIS checks use locally configured credentials and call only the cloud
provider's own APIs.

Verification

• - Source: github.com/msaad00/agent-bom (Apache-2.0)
• Sigstore signed: INLINECODE44
• 7,100+ tests with CodeQL + OpenSSF Scorecard
• No telemetry: Zero tracking, zero analytics