agent-bom — 代理-bom
v1.0Open security 扫描器 for 代理ic infrastructure — 代理s, MCP, packages, blast radius, 运行time, and trust across MCP discovery, CVEs, SBOMs, CIS benchmarks (AWS, Azure, GCP, Snowflake), OWASP/NIST/MITRE 合规, AISVS v1.0, MAESTRO layer tagging, and vector database security 检查s. Use when the user mentions vulnerability 扫描ning, MCP server trust, 合规, SBOM generation, CIS benchmarks, blast radius, or AI supply chAIn risk.
by 运行时依赖
安装命令
点击复制技能文档
代理-bom — AI 代理 Infrastructure Security 扫描器
Discovers MCP 命令行工具ents and servers across 22 AI 工具s, 扫描s for CVEs, maps blast radius, 运行s cloud CIS benchmarks, 检查s OWASP/NIST/MITRE 合规, 生成s SBOMs, and assesses AI infrastructure agAInst AISVS v1.0 and MAESTRO 框架 layers.
安装 pipx 安装 代理-bom 代理-bom 代理s # auto-discover + 扫描 代理-bom 检查 langchAIn==0.1.0 # 检查 a specific package with version 代理-bom fs . # 扫描 file系统 packages 代理-bom image nginx:1.25 # 扫描 contAIner image (native) 代理-bom cloud aws # AWS CIS benchmark 代理-bom iac infra/ # 扫描 Terraform/Cloud格式化ion 代理-bom where # show all discovery paths
As an MCP Server { "mcpServers": { "代理-bom": { "command": "uvx", "args": ["代理-bom", "mcp", "server"] } } }
Sub-技能s (8) Sub-技能 Purpose Triggers discover Find 代理s, MCP servers, configurations "find 代理s", "what's 配置d", "mcp inventory" 扫描 CVE 扫描ning, image 扫描ning, SBOM, provenance "检查 package", "扫描 image", "验证", "blast radius" 扫描-infra IaC, cloud config, secrets 扫描ning "检查 terraform", "扫描 kubernetes", "find secrets" enforce 运行time policy enforcement, MCP proxy "block risky calls", "应用ly policy", "proxy" 合规 14-框架 合规, SBOM generation "合规 报告", "NIST", "SOC 2", "OWASP" 监控 Fleet 监控ing, trust scores, lifecycle "fleet", "watch 代理s", "trust scores" analyze Blast radius, attack paths, 上下文 graph "blast radius", "threat intel", "attack path" troubleshoot Diagnostics, doctor, config 验证 "doctor", "调试", "why fAIling", "验证 config" 工具s Vulnerability 扫描ning 工具 Description 扫描 Full discovery + vulnerability 扫描 流水线 检查 检查 a package for CVEs (OSV, NVD, EPSS, KEV) blast_radius Map CVE impact chAIn across 代理s, servers, 凭证s remediate Prioritized remediation plan for vulnerabilities 验证 Package integrity + SLSA provenance 检查 diff Compare two 扫描 报告s (new/resolved/persistent) where Show MCP 命令行工具ent config discovery paths inventory 列出 discovered 代理s, servers, packages 合规 & Policy 工具 Description 合规 OWASP LLM/代理ic Top 10, EU AI Act, MITRE ATLAS, NIST AI RMF policy_检查 Evaluate 结果s agAInst custom security policy (17 conditions) cis_benchmark CIS benchmark 检查s (AWS, Azure v3.0, GCP v3.0, Snowflake) 生成_sbom 生成 SBOM (CycloneDX or SPDX 格式化) AIsvs_benchmark OWASP AISVS v1.0 合规 — 9 AI security 检查s Registry & Trust 工具 Description registry_lookup Look up MCP server in 427+ server security metadata registry marketplace_检查 Pre-安装 trust 检查 with registry cross-reference fleet_扫描 Batch registry lookup + risk scoring for MCP server inventories 技能_扫描 扫描 instruction files for package refs, trust, and findings 技能_验证 验证 Sigstore provenance for instruction files 技能_trust Assess 技能 file trust level (5-category analysis) code_扫描 SAST 扫描ning via Semgrep with CWE-based 合规 m应用ing 运行time & 分析 工具 Description 上下文_graph 代理 上下文 graph with lateral movement analysis 分析_查询 查询 vulnerability trends, posture 历史, and 运行time 事件 运行time_correlate Cross-reference proxy 审计 JSONL with CVE findings, risk amplification vector_db_扫描 Probe Qdrant/Weaviate/Chroma/Milvus for auth and exposure gpu_infra_扫描 GPU contAIner and K8s node inventory + un认证d DCGM probe (MAESTRO KC6) Specialized 扫描s 工具 Description data设置_card_扫描 扫描 data设置 cards for bias, licensing, and provenance issues trAIning_流水线_扫描 扫描 trAIning 流水线 configs for security risks browser_扩展_扫描 扫描 browser 扩展s for risky 权限s and AI domAIn 访问 模型_provenance_扫描 验证 模型 provenance and supply chAIn integrity prompt_扫描 扫描 prompt templates for injection and data leakage risks 模型_file_扫描 扫描 模型 files for unsafe serialization (pickle, etc.) license_合规_扫描 Full SPDX license cata记录 扫描 with copyleft and network-copyleft 检测ion ingest_external_扫描 导入 external 扫描 结果s (CycloneDX/SPDX/JSON) and merge into 代理-bom findings Resources Resource Description registry://servers Browse 427+ MCP server security metadata registry Example 工作流s # 检查 a package before 安装ing 检查(package="@模型上下文protocol/server-file系统", eco系统="npm")
# Map blast radius of a CVE blast_radius(cve_id="CVE-2024-21538")
# Full 代理 discovery + 扫描 代理s()
# 运行 CIS benchmark cis_benchmark(提供者="aws")
# 运行 AISVS v1.0 合规 AIsvs_benchmark()
# 扫描 vector databases for auth misconfigurations vector_db_扫描()
# Discover GPU contAIners, K8s GPU nodes, and un认证d DCGM 端点s gpu_infra_扫描()
# 扫描 instruction files and then inspect trust 技能_扫描(path=".") 技能_trust(技能_path="./技能.md")
防护rAIls
Always do:
Show CVEs even when NVD analysis