agent-bom
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: agent-bom Version: 0.76.4 The agent-bom skill bundle is a comprehensive security scanner for AI agent infrastructure, MCP servers, and cloud environments. It performs discovery of configurations across 22+ AI tools (e.g., Claude, Cursor, Windsurf), CVE scanning, and compliance checks (NIST, OWASP, CIS). While it reads sensitive configuration files, the instructions include explicit guardrails for local data processing, mandatory environment variable redaction via a referenced sanitize_env_vars() function, and user confirmation for cloud API calls. The capabilities are well-documented and strictly aligned with the stated purpose of infrastructure auditing and vulnerability management.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may lead the agent or user to install and run an external package from PyPI/GHCR, so the package supply chain becomes part of the trust decision.
The skill delegates real scanning behavior to an externally installed CLI package rather than code included in the skill artifacts. This is normal for a CLI-based scanner, but package provenance matters.
pipx install agent-bom
Verify the package source, version, and Sigstore/provenance information before running scans, especially before scanning sensitive configuration or cloud accounts.
If cloud checks are run, the scanner can access metadata about cloud accounts using locally configured credentials.
Optional cloud CIS checks use the user's existing cloud credentials to make read-only provider API calls. This is purpose-aligned for cloud security scanning, but it is account-sensitive authority.
Cloud checks use locally configured credentials (AWS/Azure/GCP/Snowflake) when explicitly invoked.
Run cloud checks only when intended, use least-privilege read-only credentials, and confirm which provider/account/profile will be used before invoking them.
Discovery scans can inspect local configuration files that may reference services, accounts, commands, URLs, or credential locations.
The discovery workflow reads local agent and Snowflake configuration/profile files. The artifacts say values are redacted and only structural data is extracted, but these paths may still reveal account or integration details.
file_reads: ... "~/.snowflake/connections.toml" ... "~/.snowflake/config.toml"
Review the listed discovery paths and avoid running discovery on environments whose configuration inventory should not be exposed to the agent session.
If enabled, the proxy can see and affect local MCP tool traffic and write local audit logs.
The enforcement mode can sit between MCP clients and servers, observe MCP tool calls, and block or allow them. The artifacts require explicit user confirmation, making this disclosed and purpose-aligned.
Runs a local proxy that intercepts MCP calls and evaluates them against policy-as-code rules.
Start proxy mode only after reviewing the policy file and understanding which MCP clients or servers will route through it.