Query the OpenA2A Registry for security scans, dependency risk, community consensus, and known advisories on any AI package.
$ npx ai-trust check server-filesystem
Resolved: server-filesystem -> @modelcontextprotocol/server-filesystem
ai-trust v0.2.1
@modelcontextprotocol/server-filesystem
---------------------------------------------
Trust Level 4 -- Verified
Publisher Anthropic
Last Scanned 2026-03-12
Advisories None
Dependencies 3 (all scanned)
---------------------------------------------
Verdict: safe to installAvailable via Homebrew, npm, or npx. No configuration required.
# Homebrew (macOS/Linux)
$ brew install opena2a-org/tap/ai-trust
# npm global install
$ npm install -g ai-trust
# Run directly (no install needed)
$ npx ai-trust check expressThree commands for single-package lookups, dependency file audits, and batch verification.
Look up trust information for a single package. If not in the registry, scan it locally with HMA.
$ ai-trust check server-filesystemParse dependency files (.json, .txt) and batch-query all dependencies
$ ai-trust audit package.json --min-trust 3Look up trust verdicts for multiple packages at once, with optional type filtering
$ ai-trust batch express lodash chalk --min-trust 2The OpenA2A Registry assigns one of five trust levels to each package based on scan results, publisher verification, and community consensus.
Package not in the registry? ai-trust downloads it and runs a HackMyAgent security scan locally. Results are shown immediately and can be contributed as anonymized telemetry to grow the community trust graph.
# Scan a package not yet in the registry $ ai-trust check mcp-server-xyz --scan-if-missing # Scan and contribute results to the community registry $ ai-trust check mcp-server-xyz --scan-if-missing --contribute # Force re-scan even if registry data exists $ ai-trust check server-filesystem --rescan # Scan missing deps in a dependency audit $ ai-trust audit package.json --scan-missing --contribute
Share anonymized scan findings with the OpenA2A Registry to help the community identify unsafe packages. No personal data, no source code -- only check pass/fail results and severity. Your choice is saved and shared across all OpenA2A tools.
On your first scan, ai-trust asks once. Your choice is saved to ~/.opena2a/config.json.
Only check IDs, pass/fail, and severity are sent. No file paths, descriptions, fix text, or code.
Opt-in carries across opena2a-cli, hackmyagent, and ai-trust. Configure once, contribute from any tool.
# Contribute scan results (non-interactive / CI) $ ai-trust check chalk --rescan --contribute # Configure globally $ opena2a config set contribute true # opt in $ opena2a config set contribute false # opt out
All commands support --json output. Non-zero exit codes when packages are blocked or below the trust threshold.
- name: Verify AI package trust run: npx ai-trust audit package.json --min-trust 3 --json - name: Check and scan if missing run: npx ai-trust check @org/mcp-server --scan-if-missing --json - name: Audit with local scanning for unknown deps run: npx ai-trust audit package.json --scan-missing --contribute
ai-trust queries the registry and can also scan locally with HackMyAgent, contributing results back to grow the community trust graph.
Populates the registry with scan results
Checks trust before installation
Trust graph for all AI packages