Concept

VirusTotal for AI packages

ai-trust checks any AI-native package against the OpenA2A Registry trust graph and returns a verdict before you install it. MCP servers, A2A agents, skills, AI tools, and LLMs. Open source under Apache-2.0.

Check a package View on GitHub

Why VirusTotal

VirusTotal gives one verdict on a file from many sources, so you check before you trust. ai-trust does that for the AI supply chain. Before adding an MCP server or agent to your project, run one command and read its trust score, level, and any advisories. For general-purpose libraries, HackMyAgent covers the same ground; ai-trust is scoped to AI-native packages.

Check

One command returns a verdict for any AI-native package: MCP server, A2A agent, skill, AI tool, or LLM. Pass a package name or audit a whole package.json at once.

Verdict

A trust score from 0 to 100, a five-level rating, and any known advisories. Reads like a verdict card: see the risk before the dependency lands in your project.

Trust graph

Scores come from the OpenA2A Registry trust graph: security scans, community consensus, and dependency risk, not a single heuristic. Scoped to AI-native packages.

ai-trust check result for an MCP server: trust score 87 out of 100, level Scanned, no known advisories.

An ai-trust check reports a trust score, the rating level, and any known advisories.

Run it

Check a single package, no install required:

npx ai-trust check @modelcontextprotocol/server-filesystem

Audit every AI-native dependency in a project at once:

npx ai-trust audit package.json

Read the docs View on GitHub Practice on DVAA