# Agent Bom

AI supply chain security scanner — 7 tools for CVE scanning, blast radius mapping, SBOM generation, compliance posture (OWASP/ATLAS/NIST), policy enforcement, and remediation planning for AI agents a…

## Quick Start

```bash
# Connect this server (installs CLI if needed)
npx -y @smithery/cli@latest mcp add agent-bom/agent-bom

# Browse available tools
npx -y @smithery/cli@latest tool list agent-bom/agent-bom

# Get full schema for a tool
npx -y @smithery/cli@latest tool get agent-bom/agent-bom scan

# Call a tool
npx -y @smithery/cli@latest tool call agent-bom/agent-bom scan '{}'
```

## Direct MCP Connection

Endpoint: `https://agent-bom--agent-bom.run.tools`

**Optional config:**
- `NVD_API_KEY` (query) — NVD API key for higher rate limits on CVSS enrichment (optional)

## Tools (36)

- `scan` — Run a full AI supply chain security scan.
- `check` — Check a specific package for known CVEs before installing.
- `blast_radius` — Look up the blast radius of a specific CVE across your AI agent setup.
- `policy_check` — Evaluate a security policy against current scan results.
- `registry_lookup` — Query the agent-bom MCP server threat intelligence registry.
- `generate_sbom` — Generate a Software Bill of Materials (SBOM) for your AI agent setup.
- `compliance` — Get OWASP LLM Top 10 / OWASP MCP Top 10 / MITRE ATLAS / NIST AI RMF compliance posture.
- `remediate` — Generate a remediation plan for vulnerabilities in your AI agent setup.
- `skill_scan` — Scan skill and instruction files for trust, findings, and provenance.
- `skill_verify` — Verify Sigstore provenance for skill and instruction files.
- `skill_trust` — Assess the trust level of a SKILL.md file using ClawHub-style categories.
- `verify` — Verify package integrity and SLSA provenance against registries.
- `where` — Show all MCP discovery paths and which config files exist.
- `inventory` — List all discovered MCP configurations and servers without CVE scanning.
- `tool_risk_assessment` — Score live-introspected MCP tool capabilities and server risk.
- `diff` — Compare a fresh scan against a baseline to find new and resolved vulns.
- `marketplace_check` — Pre-install trust check for an MCP server package.
- `code_scan` — Run SAST (Static Application Security Testing) on source code via Semgrep.
- `context_graph` — Build an agent context graph with lateral movement analysis.
- `graph_export` — Export the agent dependency graph in graph-native formats.
- `analytics_query` — Query vulnerability trends, posture history, and runtime event summaries from ClickHouse.
- `cis_benchmark` — Run CIS benchmark checks against a cloud account.
- `fleet_scan` — Batch-scan a list of MCP server names against the security metadata registry.
- `runtime_correlate` — Cross-reference vulnerability scan results with proxy runtime audit logs.
- `vector_db_scan` — Scan for running vector databases and assess their security posture.
- `aisvs_benchmark` — Run AISVS v1.0 (AI Security Verification Standard) compliance checks.
- `gpu_infra_scan` — Discover GPU/AI compute infrastructure: containers, K8s nodes, and DCGM endpoints.
- `dataset_card_scan` — Scan a directory for ML dataset card metadata and provenance.
- `training_pipeline_scan` — Scan a directory for ML training pipeline lineage and provenance.
- `browser_extension_scan` — Scan installed browser extensions for dangerous permissions.
- `model_provenance_scan` — Check ML model provenance and supply chain metadata.
- `prompt_scan` — Scan prompt template files for injection risks and security issues.
- `model_file_scan` — Scan a directory for ML model files and assess serialization risks.
- `ai_inventory_scan` — Scan source code for AI component usage patterns.
- `license_compliance_scan` — Evaluate package licenses against compliance policy.
- `ingest_external_scan` — Ingest Trivy, Grype, or Syft JSON scan output and return packages with blast radius analysis.

```bash
# Get full input/output schema for a tool
npx -y @smithery/cli@latest tool get agent-bom/agent-bom <tool-name>
```

## Resources

- `registry://servers` — Browse the MCP server security metadata registry (427+ servers).
- `policy://template` — Get a default security policy template for agent-bom.

## Prompts (3)

- `quick-audit` — Run a complete security audit of your AI agent setup
- `pre-install-check` (package, ecosystem) — Check an MCP server package for vulnerabilities before installing
- `compliance-report` — Generate OWASP/ATLAS/NIST compliance posture for your AI stack