ClawHub

agent-bom registry

v0.75.15

MCP server security registry and trust assessment — look up servers in the 427+ server security metadata registry, run pre-install marketplace checks, batch...

0· 448·1 current·1 all-time
byAgent Bom@msaad00
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (MCP server registry, trust assessment, pre-install checks, SAST) match the declared requirements: no required binaries, no required env vars, bundled registry data. Optional tooling (semgrep) and optional Snyk enrichment are reasonable extensions for code scanning and are documented as optional.
Instruction Scope
SKILL.md workflows and tool list only reference local lookups and parsing of user-provided SKILL.md content. However the metadata contains two slightly inconsistent statements: it says 'no file system access needed' and also lists 'file_reads: user-provided SKILL.md files'. This is likely a documentation ambiguity about whether the skill expects the SKILL.md content as a passed string or will read files directly. Functionality (registry lookup, skill analysis) itself does not demand unrelated file or credential access.
Install Mechanism
Instruction-only skill with no install spec in the bundle. The SKILL.md suggests installing a published pip package (agent-bom) if the user wants the tool, which is a normal, low-risk mechanism; nothing in the bundle downloads arbitrary code.
Credentials
No required environment variables or credentials. Optional SNYK_TOKEN is documented and clearly tied to optional Snyk enrichment (network endpoint listed). The optional semgrep binary is proportionate to SAST functionality. No unrelated secrets are requested.
Persistence & Privilege
Skill does not request persistent presence (always: false), reports no telemetry or privilege escalation, and has limited autonomous invocation per metadata. No indications it modifies other skills or system settings.
Assessment
This skill appears to do what it says: local registry lookups and trust/scanning of skill instruction content. Before installing: (1) confirm whether you will pass SKILL.md contents as strings or allow the tool to read files — the metadata is inconsistent on that point; if you want to avoid file reads, provide content directly. (2) If you enable code_scan enrichment, know that semgrep (local binary) is optional and SNYK_TOKEN will allow the tool to call api.snyk.io — supplying that token grants the tool access to your Snyk account. (3) If you plan to install the pip package, review the upstream GitHub/PyPI source (links are provided) to verify the bundled registry claim and to inspect tests and behavior. Overall the package is coherent, but verify the file-read behavior and be cautious about supplying any third-party credentials (SNYK_TOKEN) unless you intend to use that enrichment.

Like a lobster shell, security has layers — review code before you run it.

latestvk976any4c87c1th27d6496q9kd84889t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
OSmacOS · Linux · Windows

Comments