OpenA2A: CLI · HackMyAgent · Secretless · AIM · Browser Guard · DVAA
Trust verification CLI for AI packages. Queries the OpenA2A Registry trust graph for security scans, community consensus, dependency risk, and known advisories.
brew install opena2a-org/tap/ai-trustOr via npm:
npm install -g ai-trustOr run directly with npx:
npx ai-trust check @modelcontextprotocol/server-filesystemFor a full security dashboard covering trust, credentials, shadow AI, and more:
npx opena2a-cli reviewai-trust check @modelcontextprotocol/server-filesystemExpected output:
@modelcontextprotocol/server-filesystem
Trust Level: 3 (Scanned)
Score: 74/100
Verdict: safe
Scanned: 2026-03-01
Findings: 0 critical, 0 high, 2 medium
ai-trust --help # All commands and flags
ai-trust --version # Current version
ai-trust [command] -h # Help for a specific commandLook up the trust verdict for a single package.
ai-trust check @modelcontextprotocol/server-filesystem
ai-trust check my-custom-agent --type a2a_agent
ai-trust check express --json # JSON output for scriptingMCP servers are the most common trust query. Use shorthand to skip the full @modelcontextprotocol/ scope:
# These are equivalent:
ai-trust check server-filesystem
ai-trust check @modelcontextprotocol/server-filesystem
# Third-party MCP servers use their own package names:
ai-trust check mcp-server-kubernetes
ai-trust check @supabase/mcp-server-supabase
ai-trust check @cloudflare/mcp-server-cloudflareShorthand rule: server-* resolves to @modelcontextprotocol/server-*. Third-party mcp-server-* packages are looked up by their actual name.
When a package is not in the registry, ai-trust can download and scan it locally using HackMyAgent. In interactive mode, you will be prompted. In CI, use flags:
# Auto-scan unknown packages, contribute results to the community registry
ai-trust check mcp-server-xyz --scan-if-missing --contribute
# Force re-scan even if registry data exists
ai-trust check server-filesystem --rescan
# Disable scanning entirely (registry lookup only)
ai-trust check server-filesystem --no-scanParse dependency files and batch-query all dependencies. Supports any .json file (package.json format) or .txt file (requirements.txt format).
ai-trust audit package.json
ai-trust audit requirements.txt
ai-trust audit package.json --min-trust 2 # set minimum trust threshold (default: 3)
ai-trust audit package.json --scan-missing --contribute # scan deps not in registryLook up trust verdicts for multiple packages at once.
ai-trust batch express lodash chalk commander
ai-trust batch my-server-a my-server-b --type mcp_serverai-trust check express --json # JSON output for scripting
ai-trust audit package.json --json # JSON audit output
ai-trust check express --no-color # disable colored output
ai-trust check express --registry-url http://localhost:8080 # custom registryEvery scan you run can improve trust data for the entire community. Scan results are shared as anonymized telemetry (check pass/fail and severity only -- no file paths, source code, or descriptions).
On first scan, ai-trust asks whether you want to contribute. Your choice is saved in ~/.opena2a/config.json and shared across all OpenA2A tools (opena2a-cli, hackmyagent).
# Contribute for this scan (non-interactive / CI)
ai-trust check chalk --rescan --contribute
# Configure globally via opena2a-cli
opena2a config set contribute true # opt in
opena2a config set contribute false # opt outThe more scans contributed, the faster packages move from "Listed" to "Scanned" trust level, reducing risk for everyone.
| Level | Label | Description |
|---|---|---|
| 0 | Blocked | Package is blocked due to security concerns |
| 1 | Warning | Package has known issues |
| 2 | Listed | Package is listed but not yet scanned |
| 3 | Scanned | Package has been scanned by HackMyAgent |
| 4 | Verified | Package is verified by the publisher |
| Code | Meaning |
|---|---|
| 0 | All queried packages are safe / meet the trust threshold |
| 1 | Operational error (network failure, file not found, server error) |
| 2 | Policy signal: one or more packages have warning/blocked verdict or fall below --min-trust |
- Node.js 18 or later
- HackMyAgent (optional, required for local scanning)
git clone https://github.com/opena2a-org/ai-trust.git
cd ai-trust && npm install && npm run build
node dist/index.js check express # run locally without installingStep-by-step guides for common workflows:
- Check if a package is safe before installing
- Verify an MCP server's trust score
- Contribute trust data to the community
See docs/USE-CASES.md for the full index.
- OpenA2A Registry — trust scores and scan data
- OpenA2A CLI — unified security CLI
- HackMyAgent — local scanning for unverified packages
- opena2a.org — full platform
Apache-2.0