LooksLikeCode
登录 立即开始
首页 广场 探索 技能 视觉 创作
登录 立即开始
文件预览

skill-card.md

查看 agent-bom scan 技能包中的文件内容。

返回技能详情 下载技能包 打开来源页
文件内容

skill-card.md

## Description: <br>
Open security scanner for agentic infrastructure, MCP servers, packages, container images, provenance, filesystems, and SBOMs. <br>

This skill is ready for commercial/non-commercial use. <br>

## Publisher: <br>
[msaad00](https://clawhub.ai/user/msaad00) <br>

### License/Terms of Use: <br>
Apache-2.0 <br>


## Use Case: <br>
Developers and security engineers use this skill to check packages, scan agent and MCP infrastructure, inspect container images and filesystems, verify package provenance, map CVE blast radius, and generate SBOMs. <br>

### Deployment Geography for Use: <br>
Global <br>

## Known Risks and Mitigations: <br>
Risk: The skill may inspect local MCP, coding-agent, and related configuration files during intended security scans. <br>
Mitigation: Run scans intentionally, review the discovery paths before use, and avoid scanning paths outside the expected scope. <br>
Risk: Vulnerability enrichment contacts external databases using public package names and CVE identifiers. <br>
Mitigation: Use the skill only where those lookups are acceptable; the evidence states credentials, config contents, and scan results are not sent. <br>
Risk: Broad trigger wording could cause the skill to be selected for general safety questions. <br>
Mitigation: Invoke it for explicit package, image, SBOM, CVE, provenance, or agent-inventory security scanning tasks. <br>


## Reference(s): <br>
- [agent-bom source](https://github.com/msaad00/agent-bom) <br>
- [agent-bom on PyPI](https://pypi.org/project/agent-bom/) <br>
- [OpenSSF Scorecard](https://securityscorecards.dev/viewer/?uri=github.com/msaad00/agent-bom) <br>
- [Credential redaction source](https://github.com/msaad00/agent-bom/blob/main/src/agent_bom/security.py#L159) <br>
- [OSV vulnerability database API](https://api.osv.dev/v1) <br>
- [NVD CVE API](https://services.nvd.nist.gov/rest/json/cves/2.0) <br>
- [FIRST EPSS API](https://api.first.org/data/v1/epss) <br>
- [GitHub Security Advisories API](https://api.github.com/advisories) <br>


## Skill Output: <br>
**Output Type(s):** [text, markdown, code, shell commands, configuration, guidance] <br>
**Output Format:** [Markdown guidance with shell commands, JSON configuration examples, and scanner output recommendations.] <br>
**Output Parameters:** [1D] <br>
**Other Properties Related to Output:** [May direct agent-bom to produce SARIF, JSON, HTML, Markdown, CycloneDX, or SPDX outputs depending on the consumer.] <br>

## Skill Version(s): <br>
0.88.4 (source: frontmatter and server release metadata) <br>

## Ethical Considerations: <br>
Users should evaluate whether this skill is appropriate for their environment, review any generated or modified files before relying on them, and apply their organization's safety, security, and compliance requirements before deployment. <br>