agent-bom

Installing the skill may lead the agent or user to install and run an external package from PyPI/GHCR, so the package supply chain becomes part of the trust decision.

The skill delegates real scanning behavior to an externally installed CLI package rather than code included in the skill artifacts. This is normal for a CLI-based scanner, but package provenance matters.

If cloud checks are run, the scanner can access metadata about cloud accounts using locally configured credentials.

Optional cloud CIS checks use the user's existing cloud credentials to make read-only provider API calls. This is purpose-aligned for cloud security scanning, but it is account-sensitive authority.

Discovery scans can inspect local configuration files that may reference services, accounts, commands, URLs, or credential locations.

The discovery workflow reads local agent and Snowflake configuration/profile files. The artifacts say values are redacted and only structural data is extracted, but these paths may still reveal account or integration details.

If enabled, the proxy can see and affect local MCP tool traffic and write local audit logs.

The enforcement mode can sit between MCP clients and servers, observe MCP tool calls, and block or allow them. The artifacts require explicit user confirmation, making this disclosed and purpose-aligned.