agent-bom-registry — MCP Server Trust & Security Registry

Look up MCP servers in the 427+ server security metadata registry, assess skill file trust, and run pre-install marketplace checks.

Install

pipx install agent-bom
agent-bom mcp scan @modelcontextprotocol/server-brave-search --ecosystem npm
agent-bom mcp scan @modelcontextprotocol/server-filesystem --ecosystem npm

Tools (7)

Tool	Description
registry_lookup	Look up MCP server in 427+ server security metadata registry
marketplace_check	Pre-install trust check with registry cross-reference
fleet_scan	Batch registry lookup + risk scoring for MCP server inventories
skill_scan	Scan instruction files for package refs, trust, and findings
skill_verify	Verify Sigstore provenance for instruction files
skill_trust	Assess skill file trust level (5-category analysis)
code_scan	SAST scanning via Semgrep with CWE-based compliance mapping

Example Workflows

# Look up a server in the registry
registry_lookup(server_name="brave-search")

# Pre-install trust check
marketplace_check(package="@modelcontextprotocol/server-filesystem")

# Scan instruction files and then assess a specific skill file
skill_scan(path=".")
skill_trust(skill_path="./SKILL.md")

# Batch risk scoring
fleet_scan(servers=["brave-search", "github", "slack"])

MCP Resources

Resource	Description
registry://servers	Browse 427+ MCP server security metadata registry

Privacy & Data Handling

Registry data is bundled in the package — lookups are in-memory string matches with zero network calls. Skill trust analysis parses content passed as a string argument (no file system access needed).

Verification

• Source: github.com/msaad00/agent-bom (Apache-2.0)
• 7,100+ tests with CodeQL + OpenSSF Scorecard
• No telemetry: Zero tracking, zero analytics