agent-bom
PassAudited by ClawScan on May 1, 2026.
Overview
The artifacts describe a coherent security-scanning skill, with disclosed but sensitive capabilities such as installing an external scanner, reading local agent/cloud configuration, and optionally running local proxy or cloud checks.
Before installing, verify the agent-bom package provenance and version. Before running scans, review the listed local config paths and avoid scanning directories or cloud accounts you do not want inventoried. Use least-privilege credentials for optional cloud checks, and only start proxy/dashboard modes after explicit confirmation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may lead the agent or user to install and run an external package from PyPI/GHCR, so the package supply chain becomes part of the trust decision.
The skill delegates real scanning behavior to an externally installed CLI package rather than code included in the skill artifacts. This is normal for a CLI-based scanner, but package provenance matters.
pipx install agent-bom
Verify the package source, version, and Sigstore/provenance information before running scans, especially before scanning sensitive configuration or cloud accounts.
If cloud checks are run, the scanner can access metadata about cloud accounts using locally configured credentials.
Optional cloud CIS checks use the user's existing cloud credentials to make read-only provider API calls. This is purpose-aligned for cloud security scanning, but it is account-sensitive authority.
Cloud checks use locally configured credentials (AWS/Azure/GCP/Snowflake) when explicitly invoked.
Run cloud checks only when intended, use least-privilege read-only credentials, and confirm which provider/account/profile will be used before invoking them.
Discovery scans can inspect local configuration files that may reference services, accounts, commands, URLs, or credential locations.
The discovery workflow reads local agent and Snowflake configuration/profile files. The artifacts say values are redacted and only structural data is extracted, but these paths may still reveal account or integration details.
file_reads: ... "~/.snowflake/connections.toml" ... "~/.snowflake/config.toml"
Review the listed discovery paths and avoid running discovery on environments whose configuration inventory should not be exposed to the agent session.
If enabled, the proxy can see and affect local MCP tool traffic and write local audit logs.
The enforcement mode can sit between MCP clients and servers, observe MCP tool calls, and block or allow them. The artifacts require explicit user confirmation, making this disclosed and purpose-aligned.
Runs a local proxy that intercepts MCP calls and evaluates them against policy-as-code rules.
Start proxy mode only after reviewing the policy file and understanding which MCP clients or servers will route through it.