MCP Tools Reference¶
agent-bom exposes MCP tools for scanning, blast radius, trust, compliance, runtime, and remediation.
Tools¶
scan¶
Full discovery + vulnerability scan pipeline. Auto-discovers MCP clients, extracts servers and packages, scans for CVEs, computes blast radius.
check¶
Check a single package for vulnerabilities.
blast_radius¶
Map the full impact chain of a CVE across agents, servers, credentials, and tools.
registry_lookup¶
Look up an MCP server in the 427+ server security metadata registry.
compliance¶
Run compliance framework checks (OWASP, MITRE ATLAS, EU AI Act, NIST, CIS, SOC 2, ISO 27001).
remediate¶
Generate a prioritized remediation plan for discovered vulnerabilities.
For the JSON contract and example artifact shape, see remediate Output
Contract.
skill_scan¶
Scan instruction files such as CLAUDE.md, .cursorrules, AGENTS.md, and skills/*.md for package references, MCP server configs, credential env vars, trust verdicts, and audit findings.
skill_verify¶
Verify Sigstore provenance for instruction and skill files.
verify¶
Package integrity check with Sigstore signature and SLSA provenance verification.
skill_trust¶
Audit an AI instruction file (SKILL.md, CLAUDE.md, .cursorrules, AGENTS.md) for supply chain risks, malicious behavioral patterns, and trust level.
Runs 17 behavioral risk patterns (credential file access, confirmation bypass, messaging/impersonation, voice/telephony, filesystem exfiltration, data exfiltration, and more) plus 5-category structural trust assessment:
| Category | Checks |
|---|---|
| Purpose & Capability | name/description consistency, binary/network scope |
| Instruction Scope | file reads bounded, data handling documented |
| Install Mechanism | install source, Sigstore signature, provenance |
| Credentials | proportionate, scoped, documented env vars |
| Persistence & Privilege | no persistence, no escalation, no telemetry |
Returns a verdict (benign / suspicious / malicious), confidence level, per-category results, and all findings with severity and recommendations.
skill_trust(skill_path="./SKILL.md")
# → {
# "verdict": "suspicious",
# "confidence": "high",
# "categories": [
# { "name": "Install Mechanism", "level": "fail", "summary": "Unverified install source" },
# ...
# ],
# "findings": [
# { "severity": "critical", "title": "Credential/secret file access", "detail": "..." },
# ...
# ]
# }
generate_sbom¶
Generate an SBOM in CycloneDX or SPDX format.
policy_check¶
Evaluate scan results against a security policy file.
diff¶
Compare two scan reports showing new, resolved, and persistent findings.
marketplace_check¶
Pre-install trust check combining registry lookup with integrity verification.
code_scan¶
SAST scanning via Semgrep with CWE-based compliance mapping.
where¶
Show all MCP client config discovery paths and what was found.
tool_risk_assessment¶
Use live MCP introspection to classify tool capabilities and risky combinations.
inventory¶
List all discovered agents, servers, and packages.
context_graph¶
Agent context graph with BFS lateral movement analysis.
graph_export¶
Export dependency graph data for graph-native tooling.
analytics_query¶
Query vulnerability trends and posture history from ClickHouse.
cis_benchmark¶
Run CIS benchmark checks against AWS or Snowflake accounts.
fleet_scan¶
Batch registry lookup + risk scoring for MCP server inventories.
runtime_correlate¶
Cross-reference runtime audit logs with CVE findings for risk amplification.
vector_db_scan¶
Probe Qdrant, Weaviate, Chroma, and Milvus instances for authentication misconfigurations and exposure.
aisvs_benchmark¶
Run OWASP AISVS v1.0 compliance checks — 9 AI security verification checks across model, data, and inference layers.
gpu_infra_scan¶
Scan GPU and AI compute infrastructure — Docker GPU containers, Kubernetes GPU nodes, DCGM unauthenticated endpoint detection.
dataset_card_scan¶
Scan dataset cards (Hugging Face, custom) for supply chain risks, license issues, and data provenance gaps.
training_pipeline_scan¶
Scan training pipeline configurations for security risks — untrusted data sources, insecure checkpoints, credential exposure.
browser_extension_scan¶
Scan browser extensions for MCP and AI-related risks — nativeMessaging, broad host permissions, AI assistant domain access.
model_provenance_scan¶
Verify model provenance and integrity — check Sigstore signatures, SLSA provenance, and supply chain attestations.
prompt_scan¶
Scan prompts for injection patterns, exfiltration attempts, and manipulation techniques.
model_file_scan¶
Scan model files (ONNX, pickle, SafeTensors, etc.) for embedded threats, unsafe deserialization, and hidden payloads.
ai_inventory_scan¶
Scan source code for AI SDK imports, model references, shadow AI, and deprecated models.
license_compliance_scan¶
SPDX license compliance and compatibility checks — full SPDX catalog support, network-copyleft detection, license conflict identification.
ingest_external_scan¶
Import Trivy, Grype, or Syft JSON and return packages with blast-radius analysis.
Resources¶
| URI | Description |
|---|---|
registry://servers |
Browse the full MCP server security metadata registry |
policy://template |
Default security policy template |
metrics://tools |
Bounded MCP tool execution metrics |
schema://inventory-v1 |
Canonical pushed-inventory schema contract |
bestpractices://mcp-hardening |
MCP deployment hardening checklist |
compliance://framework-controls |
Framework coverage and evidence mapping |
Prompts¶
| Prompt | Description |
|---|---|
quick-audit |
Run a complete security audit of local AI agent and MCP setup |
pre-install-check |
Check an MCP server package before installing |
compliance-report |
Generate OWASP, ATLAS, and NIST compliance posture |
fleet-audit |
Audit an endpoint or cloud inventory file and return graph-ready findings |
incident-triage |
Prioritize a CVE or suspicious MCP finding using blast radius and runtime evidence |
remediation-plan |
Draft a human-reviewed remediation plan without modifying files |