Install
openclaw skills install @msaad00/agent-bom-ingestagent-bom ingest
Validate and ingest operator-pushed agent-bom inventory JSON from AWS, Azure, GCP, Snowflake, CMDB, or endpoint collectors. Use when a user has canonical inventory JSON and wants local findings, graph, policy, provenance, or auditor-ready exports without giving agent-bom direct cloud credentials.
agent-bom-ingest
Use this skill when the operator already produced canonical inventory JSON with an operator-pull adapter, endpoint collector, CMDB export, or AI-agent workflow. The default path is local validation plus local scan/export.
Guardrails
- Validate inventory with the packaged schema before treating it as evidence.
- Require
discovery_provenanceandpermissions_usedwhere the source claims cloud/operator-pushed discovery. - Require a trustworthy
discovery_provenance.source_typesuch asoperator_pushed_inventoryorskill_invoked_pull; do not infer it from prose. - Do not invent provenance, permissions, cloud scopes, or credential posture.
- Do not push to a control plane unless the operator provides the destination URL and auth method explicitly.
- Do not print raw tokens, URL credentials, private keys, or env var values.
Workflow
Validate first:
agent-bom mcp validate inventory.json
Scan locally:
agent-bom agents --inventory inventory.json --format json --output agent-bom-findings.json
Choose output by consumer:
- SARIF for CI/code-scanning gates
- JSON for graph, API, and automation
- HTML or Markdown for human review
- CycloneDX/SPDX for SBOM consumers
Evidence Contract
Valid inventory preserves discovery_provenance, permissions_used,
cloud_origin, redaction state, package identity, server identity, tools, and
security intelligence. If the inventory is malformed or missing required trust
fields, stop and ask the operator to regenerate it rather than scanning a
best-effort summary.