Verify trust before you install.
Look up community trust data for MCP servers, A2A agents, and AI tools. Trust level, recent scan results, advisories, and dependency risk in one query.
npx ai-trust check server-filesystemOne package. One command. No signup. Runs locally.
What you get back.
One query. Resolved name, trust level, scan recency, advisories, and dependency roll up. No score theater. Every signal traces back to a registry record or a recent scan.
Three commands.
One package, a whole manifest, or a list of names. Same trust graph behind every call.
ai-trust check
Look up a single package
Returns trust level, last scan date, advisories, and dependency risk. Pass --scan-if-missing to scan locally with HackMyAgent when the package is not yet on file.
$ ai-trust check server-filesystemai-trust audit
Audit a dependency file
Parses package.json, requirements.txt, or any supported manifest and queries every dependency in one pass. Use --min-trust to fail the run when any package falls below a threshold.
$ ai-trust audit package.json --min-trust 3ai-trust batch
Verify many packages at once
Pass a list of names. Useful for ad hoc allowlists, supply chain reviews, and CI gates that read package names from a file.
$ ai-trust batch express lodash chalk --min-trust 2Five trust levels.
Every package resolves to a level from 0 to 4. Set --min-trust in CI to fail the run when any dependency falls below your threshold.
What trust is built from.
Eight signal classes. Every level resolves from registry records, recent scans, and anonymized community reports. No invented numbers.
Scan history
What HackMyAgent has found across recent scans of this package.
- Static, semantic, and adversarial findings
- Severity counts and check IDs
- Most recent scan timestamp
Publisher provenance
Who shipped the package and whether the registry trusts them.
- npm and PyPI publisher identity
- Verified publisher signals
- Domain and org continuity
Open advisories
Known vulnerabilities and security advisories tied to this package or its dependencies.
- GitHub advisory database
- CVE references where available
- Severity at time of query
Dependency risk
Trust roll up across the dependency tree, not just the surface package.
- Transitive dependency review
- Lowest trust level in the tree
- Unscanned dependency callouts
Community signals
What the community has reported back about this package.
- Anonymized scan contributions
- Reported issues and false positives
- Usage breadth across registries
Drift and freshness
Whether the trust signal is current or stale.
- Time since last scan
- Version drift between releases
- Scan refresh recommendations
Activity and adoption
Lifecycle signals for the package itself.
- Release cadence
- Maintenance status
- Reach across npm, PyPI, and Docker
Source registry
Where the artifact actually lives and how to reach it.
- npm, PyPI, Docker, GitHub source
- Canonical name resolution
- Direct registry links
Example queries.
Lookups, audits, and on demand scans across npm, PyPI, and MCP package names.
$ ai-trust check @modelcontextprotocol/server-filesystemMCP server lookup with full resolved name
$ ai-trust check server-filesystemShort name resolves to canonical package
$ ai-trust audit package.json --min-trust 3Fail CI when any dep is below trust level 3
$ ai-trust check mcp-server-xyz --scan-if-missingScan locally when the package is not yet on file
$ ai-trust audit requirements.txt --scan-missing --contributeAudit, scan unknowns, contribute anonymized results
$ ai-trust batch express lodash chalkBulk verify a list of names
Scan on demand.
Package not yet on file? Add --scan-if-missing and ai-trust downloads the artifact and runs a HackMyAgent scan locally. Add --contribute to share anonymized findings back to the community.
# Scan a package not yet on file $ ai-trust check mcp-server-xyz --scan-if-missing # Scan and contribute results back to the community $ ai-trust check mcp-server-xyz --scan-if-missing --contribute # Audit a manifest, scan unknowns, contribute results $ ai-trust audit package.json --scan-missing --contribute
Community trust, opt in.
Share anonymized scan results to help the community identify unsafe packages. No personal data, no source code. Check IDs, pass and fail counts, severity. That is the entire payload.
Asked once
On first scan, ai-trust prompts and stores your choice in ~/.opena2a/config.json. Change it any time.
Privacy first
Only check IDs, pass and fail counts, and severity are sent. No file paths, no descriptions, no fix text, no code.
Shared across tools
Opt in carries across opena2a-cli, hackmyagent, and ai-trust. Configure once, contribute from any tool.
CI integration.
Every command supports --json. Non zero exit when packages are blocked or fall below your trust threshold.
- name: Verify AI package trust run: npx ai-trust audit package.json --min-trust 3 --json - name: Check MCP server, scan if missing run: npx ai-trust check @org/mcp-server --scan-if-missing --json - name: Audit with on demand scanning for unknown deps run: npx ai-trust audit package.json --scan-missing --contribute
How it fits the ecosystem.
ai-trust queries the trust graph that HackMyAgent scans populate. Same data is also reachable through the OpenA2A CLI when you want one tool for everything.
HackMyAgent populates
Every HackMyAgent scan that opts in feeds anonymized findings into the trust graph.
ai-trust queries
Lookup, audit, and batch verify against the same trust graph before you install.
OpenA2A CLI delegates
opena2a trust and opena2a registry route through ai-trust under the hood.
Verify before you install.
One command. No signup. Runs locally.
npx ai-trust check server-filesystem