@agentutility/mcp-prooflayer 0.2.0 → 0.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +15 -15
- package/dist/tools.generated.js +15 -15
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -50,21 +50,21 @@ USDC on Base contract: `0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913`
|
|
|
50
50
|
|
|
51
51
|
| Tool | Description |
|
|
52
52
|
|---|---|
|
|
53
|
-
| `ai-content-detector` | (0.03 USDC/call) AI
|
|
54
|
-
| `app-store-rejection-explain` | (0.02 USDC/call) App Store
|
|
55
|
-
| `brand-clearance` | (0.25 USDC/call)
|
|
56
|
-
| `cve` | (0.005 USDC/call)
|
|
57
|
-
| `cve-lookup` | (0.005 USDC/call)
|
|
58
|
-
| `db-migration-risk` | (0.02 USDC/call)
|
|
59
|
-
| `dep-risk-summary` | (0.03 USDC/call)
|
|
60
|
-
| `deploy-config-risk` | (0.02 USDC/call)
|
|
53
|
+
| `ai-content-detector` | (0.03 USDC/call) Detect AI-generated writing with a calibrated probability score. Returns a 0-1 likelihood, a verdict, suspicious phrases, and per-axis style signals (em-dash overuse, hedge phrases, formulaic transitions). Works as an AI content detector, GPT detector, or ChatGPT-text checker. |
|
|
54
|
+
| `app-store-rejection-explain` | (0.02 USDC/call) Explains App Store and Google Play rejections and turns them into a resubmission plan. Parses rejection text and app metadata, identifies likely policy areas, extracts deadlines, and returns a policy-clean resubmission checklist plus reviewer-note outline. Does not promise approval or recommend platform-policy evasion. Use it for Google Play rejection triage or as a mobile app review policy checklist. |
|
|
55
|
+
| `brand-clearance` | (0.25 USDC/call) Screens a candidate brand name across trademark, domain, and web-presence checks in a single composite signal. Runs four checks in parallel (in-process, no x402 self-billing): USPTO TM name search, domain availability across requested TLDs (default .com .ai .dev .io .co), Wikipedia presence, and a Hacker News mention scan. Returns risk_level (clear|soft|moderate|hard), risk_score 0-100, sub-scores per signal, the raw hits, and a one-line recommendation. Designed for AI agents self-screening project, product, or startup names before committing. Screening tool only, not legal advice. Use it as a brand clearance aggregator, name screening tool, product-name vetting step, or startup-brand pre-flight. |
|
|
56
|
+
| `cve` | (0.005 USDC/call) Looks up a CVE and returns the full NIST NVD vulnerability record. Short alias of cve-lookup: CVSS v3.1 + v2 vectors, severity, CWE class, affected CPE list, references, public-exploit indicator with reference URLs, and a bounded exploitability summary. Federal public data. Use it as a vulnerability lookup, NVD record fetch, CVSS scorer, vuln advisory fetch, exploit-known check, or patch-priority triage for Log4Shell-style records. |
|
|
57
|
+
| `cve-lookup` | (0.005 USDC/call) Looks up a CVE and returns its canonical NIST NVD record: description, CVSS v3.1 and v2 vectors plus numeric scores, severity bucket, CWE class, affected CPE list, NVD references, and a public-exploit-known boolean with reference URLs. Takes a CVE-YYYY-NNNNN identifier and includes a bounded plain-English exploitability summary. Federal public data. Use it as a vulnerability database, NVD record fetcher, CVSS scorer, Log4Shell-style advisory inspector, known-exploit checker, CISA KEV adjacent tool, patch-priority triage aid, or CWE classifier. |
|
|
58
|
+
| `db-migration-risk` | (0.02 USDC/call) Audits database migrations for risky SQL before deploy. Walks migrations/, prisma/migrations/, db/migrate/, supabase/migrations/, and alembic/versions/ and flags destructive DDL, lock-heavy ALTER TABLE, NOT NULL without DEFAULT, plain CREATE INDEX (vs CONCURRENTLY), unbounded TRUNCATE/DELETE, and FK validation without NOT VALID. Returns 0-100 score, per-finding kind/severity/path/line/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, ...]} for private / agent-workspace use. Use it as a SQL migration safety check, DROP COLUMN detector, unsafe ALTER TABLE detector, Postgres CREATE INDEX CONCURRENTLY check, Alembic op.drop_* detector, TRUNCATE/DELETE WHERE detector, foreign key NOT VALID check, or pre-deploy DB gate. |
|
|
59
|
+
| `dep-risk-summary` | (0.03 USDC/call) Scores dependency risk for a whole repo from its manifests and lockfiles. Best-effort scan of package.json, pnpm-lock.yaml, package-lock.json, yarn.lock, bun.lock (JS); requirements.txt, pyproject.toml, poetry.lock (Python); go.mod, go.sum (Go). Samples 10 alphabetically-first direct deps via npm/PyPI registry for deprecation + install-script signals. Returns 0-100 score, per-finding kind/severity/path/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} or {files: [{path, content}, ...]}. Use it as a package.json + lockfile vetter, unpinned dep detector, transitive dep counter, requirements.txt audit, pyproject dep risk check, deprecated dep detector, install-script dep detector, or Snyk-adjacent repo-level supply-chain risk score. |
|
|
60
|
+
| `deploy-config-risk` | (0.02 USDC/call) Audits deploy configuration files for production risks. Fetches Dockerfile, wrangler.toml, vercel.json, netlify.toml, fly.toml, docker-compose.yml, and serverless.yml and flags open CORS with credentials, exposed admin ports (22/5432/6379/etc), plaintext secrets in inline env, dev/debug mode left enabled, and missing healthchecks. Returns 0-100 score, per-finding kind/severity/path/line/redacted-evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, ...]} for private / agent-workspace use. Use it as a Dockerfile lint, vercel.json hardening pass, wrangler.toml review, docker-compose.yml safety check, fly.toml secrets check, netlify deploy gate, open CORS detector, exposed admin port detector, plaintext-secret-in-env detector, or production-readiness deploy gate. |
|
|
61
61
|
| `github-repo-health` | (0.03 USDC/call) GitHub repo health score / open-source maintainability checker. 0-100 score + grade (abandoned/stale/okay/healthy/thriving). Commit activity, contributors, license, CI, tests. Plus LLM verdict. |
|
|
62
|
-
| `package-risk-npm` | (0.03 USDC/call)
|
|
63
|
-
| `production-readiness-score` | (0.10 USDC/call) production readiness
|
|
64
|
-
| `prompt-injection-surface` | (0.03 USDC/call) AI prompt injection
|
|
65
|
-
| `pypi-package-risk` | (0.01 USDC/call)
|
|
66
|
-
| `secrets-exposure-check` | (0.02 USDC/call)
|
|
67
|
-
| `vendor-questionnaire-draft` | (0.08 USDC/call)
|
|
62
|
+
| `package-risk-npm` | (0.03 USDC/call) Scores supply-chain risk for an npm package before you install it. Pulls registry metadata + download stats for the package (and optional version) and checks maintainer count, weekly downloads, install / postinstall script hooks, dependency tree depth, deprecation flag, package age, last-publish recency, and edit-distance to popular package names (typosquat). Returns a 0-10 score, risk_level bucket, contributing factors, typosquat candidate list, and a Venice plain-English summary. Use it as an npm supply-chain scanner, typosquat detector, postinstall-script flagger, npm install pre-flight audit, package.json + pnpm-lock.yaml vetter, or Snyk-adjacent / Socket.dev-adjacent pre-install safety gate. |
|
|
63
|
+
| `production-readiness-score` | (0.10 USDC/call) Scores production readiness for a repo in one call, aggregating the Prooflayer cluster. Calls all 5 component scanners (secrets-exposure-check, deploy-config-risk, db-migration-risk, dep-risk-summary, prompt-injection-surface) in parallel in-process and rolls findings into a weighted composite score (default weights: secrets 0.30, migrations 0.20, deps 0.20, deploy 0.15, prompt 0.15). Returns composite 0-100, production_grade (production-ready | needs-review | risky | do-not-ship), per-component sub-scores, top-N deduped findings sorted by severity + score_contribution, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} or {files: [{path, content}, ...]}. Optional 'weights' override (each in [0,0.5], proportionally normalized) and 'max_findings' (default 10, cap 50). Use it as an AI app deploy gate, repo prod-risk composite, one-call audit, unified production readiness API, or vibe-coded app safety scan. |
|
|
64
|
+
| `prompt-injection-surface` | (0.03 USDC/call) Scans AI app source code for prompt injection risk at LLM call sites. Walks .ts/.tsx/.js/.jsx/.py/.mjs/.cjs source files, locates LLM SDK call sites (anthropic, openai, @ai-sdk/*, google generative), and flags user input flowing into prompts without sanitization, calls without max_tokens caps, system/user prompt mixing, and LLM output used unvalidated in fetch/exec/eval. Returns 0-100 score, per-finding kind/severity/path/line/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} (tree-walk, capped 500 files) or {files: [{path, content}, ...]}. Use it as an LLM call-site audit, unsanitized-user-input-in-prompts detector, system-message mixing flag, unbounded completion detector, AI app safety scan, or pre-deploy AI risk gate. |
|
|
65
|
+
| `pypi-package-risk` | (0.01 USDC/call) Scores the supply-chain risk of a PyPI package before you install it. Pulls metadata + release history from pypi.org for a package (and optional version), evaluating age, recent download volume, maintainer count, post-install hook presence, dependency depth, deprecation flags, last-update recency, and string-distance to popular packages (typosquat). Returns a numeric score (0-10), risk_level bucket, contributing factor list, and an AI-written plain-English risk summary from Venice. Use it as a Python supply-chain scanner, pip dependency vetter, typosquat detector, pre-install audit, Python-package safety check, pyproject.toml / requirements.txt vetter, or poetry + uv pre-install gate. |
|
|
66
|
+
| `secrets-exposure-check` | (0.02 USDC/call) Scans project config files for hardcoded secrets before you deploy. Fetches top-level config files (.env*, wrangler.toml, vercel.json, next.config.*, package.json, etc.) and scans for hardcoded AWS/OpenAI/Anthropic/Stripe/GitHub keys, private keys, DB URLs with passwords, JWT secrets, weak values in .env.example, and server-only env vars accidentally exposed via NEXT_PUBLIC_. Returns 0-100 score, per-finding kind/severity/path/line/redacted-evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, ...]} for private / agent-workspace use. Use it as a secrets exposure scan, hardcoded API key detector, .env-committed-key audit, Next.js client env leak detector, or pre-deploy secret gate. |
|
|
67
|
+
| `vendor-questionnaire-draft` | (0.08 USDC/call) Drafts vendor security questionnaire answers from evidence you supply. Takes questionnaire text plus evidence snippets and drafts only evidence-supported answers; unsupported questions are marked needs_evidence instead of invented. Useful for founders and agents answering customer security reviews without leaking private repo data or making unsupported compliance claims. Use it as a security questionnaire answerer, SOC 2 evidence answer helper, or vendor due diligence response builder. |
|
|
68
68
|
|
|
69
69
|
## How it works
|
|
70
70
|
|
|
@@ -85,4 +85,4 @@ The agent never sees the payment flow — it just gets the result.
|
|
|
85
85
|
|
|
86
86
|
---
|
|
87
87
|
|
|
88
|
-
**Version:** 0.2.
|
|
88
|
+
**Version:** 0.2.3 · **License:** MIT
|
package/dist/tools.generated.js
CHANGED
|
@@ -1,11 +1,11 @@
|
|
|
1
1
|
/** Auto-generated by scripts/generate-mcp-clusters.mjs. Do not edit by hand. */
|
|
2
2
|
export const CLUSTER_SLUG = "prooflayer";
|
|
3
|
-
export const VERSION = "0.2.
|
|
3
|
+
export const VERSION = "0.2.3";
|
|
4
4
|
export const TOOLS = [
|
|
5
5
|
{
|
|
6
6
|
"name": "ai-content-detector",
|
|
7
7
|
"http_name": "ai-content-detector",
|
|
8
|
-
"description": "(0.03 USDC/call) AI
|
|
8
|
+
"description": "(0.03 USDC/call) Detect AI-generated writing with a calibrated probability score. Returns a 0-1 likelihood, a verdict, suspicious phrases, and per-axis style signals (em-dash overuse, hedge phrases, formulaic transitions). Works as an AI content detector, GPT detector, or ChatGPT-text checker.",
|
|
9
9
|
"method": "POST",
|
|
10
10
|
"input_schema": {
|
|
11
11
|
"type": "object",
|
|
@@ -22,7 +22,7 @@ export const TOOLS = [
|
|
|
22
22
|
{
|
|
23
23
|
"name": "app-store-rejection-explain",
|
|
24
24
|
"http_name": "app-store-rejection-explain",
|
|
25
|
-
"description": "(0.02 USDC/call) App Store
|
|
25
|
+
"description": "(0.02 USDC/call) Explains App Store and Google Play rejections and turns them into a resubmission plan. Parses rejection text and app metadata, identifies likely policy areas, extracts deadlines, and returns a policy-clean resubmission checklist plus reviewer-note outline. Does not promise approval or recommend platform-policy evasion. Use it for Google Play rejection triage or as a mobile app review policy checklist.",
|
|
26
26
|
"method": "POST",
|
|
27
27
|
"input_schema": {
|
|
28
28
|
"type": "object",
|
|
@@ -52,7 +52,7 @@ export const TOOLS = [
|
|
|
52
52
|
{
|
|
53
53
|
"name": "brand-clearance",
|
|
54
54
|
"http_name": "brand-clearance",
|
|
55
|
-
"description": "(0.25 USDC/call)
|
|
55
|
+
"description": "(0.25 USDC/call) Screens a candidate brand name across trademark, domain, and web-presence checks in a single composite signal. Runs four checks in parallel (in-process, no x402 self-billing): USPTO TM name search, domain availability across requested TLDs (default .com .ai .dev .io .co), Wikipedia presence, and a Hacker News mention scan. Returns risk_level (clear|soft|moderate|hard), risk_score 0-100, sub-scores per signal, the raw hits, and a one-line recommendation. Designed for AI agents self-screening project, product, or startup names before committing. Screening tool only, not legal advice. Use it as a brand clearance aggregator, name screening tool, product-name vetting step, or startup-brand pre-flight.",
|
|
56
56
|
"method": "POST",
|
|
57
57
|
"input_schema": {
|
|
58
58
|
"type": "object",
|
|
@@ -78,7 +78,7 @@ export const TOOLS = [
|
|
|
78
78
|
{
|
|
79
79
|
"name": "cve",
|
|
80
80
|
"http_name": "cve",
|
|
81
|
-
"description": "(0.005 USDC/call)
|
|
81
|
+
"description": "(0.005 USDC/call) Looks up a CVE and returns the full NIST NVD vulnerability record. Short alias of cve-lookup: CVSS v3.1 + v2 vectors, severity, CWE class, affected CPE list, references, public-exploit indicator with reference URLs, and a bounded exploitability summary. Federal public data. Use it as a vulnerability lookup, NVD record fetch, CVSS scorer, vuln advisory fetch, exploit-known check, or patch-priority triage for Log4Shell-style records.",
|
|
82
82
|
"method": "POST",
|
|
83
83
|
"input_schema": {
|
|
84
84
|
"type": "object",
|
|
@@ -96,7 +96,7 @@ export const TOOLS = [
|
|
|
96
96
|
{
|
|
97
97
|
"name": "cve-lookup",
|
|
98
98
|
"http_name": "cve-lookup",
|
|
99
|
-
"description": "(0.005 USDC/call)
|
|
99
|
+
"description": "(0.005 USDC/call) Looks up a CVE and returns its canonical NIST NVD record: description, CVSS v3.1 and v2 vectors plus numeric scores, severity bucket, CWE class, affected CPE list, NVD references, and a public-exploit-known boolean with reference URLs. Takes a CVE-YYYY-NNNNN identifier and includes a bounded plain-English exploitability summary. Federal public data. Use it as a vulnerability database, NVD record fetcher, CVSS scorer, Log4Shell-style advisory inspector, known-exploit checker, CISA KEV adjacent tool, patch-priority triage aid, or CWE classifier.",
|
|
100
100
|
"method": "POST",
|
|
101
101
|
"input_schema": {
|
|
102
102
|
"type": "object",
|
|
@@ -114,7 +114,7 @@ export const TOOLS = [
|
|
|
114
114
|
{
|
|
115
115
|
"name": "db-migration-risk",
|
|
116
116
|
"http_name": "db-migration-risk",
|
|
117
|
-
"description": "(0.02 USDC/call)
|
|
117
|
+
"description": "(0.02 USDC/call) Audits database migrations for risky SQL before deploy. Walks migrations/, prisma/migrations/, db/migrate/, supabase/migrations/, and alembic/versions/ and flags destructive DDL, lock-heavy ALTER TABLE, NOT NULL without DEFAULT, plain CREATE INDEX (vs CONCURRENTLY), unbounded TRUNCATE/DELETE, and FK validation without NOT VALID. Returns 0-100 score, per-finding kind/severity/path/line/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, ...]} for private / agent-workspace use. Use it as a SQL migration safety check, DROP COLUMN detector, unsafe ALTER TABLE detector, Postgres CREATE INDEX CONCURRENTLY check, Alembic op.drop_* detector, TRUNCATE/DELETE WHERE detector, foreign key NOT VALID check, or pre-deploy DB gate.",
|
|
118
118
|
"method": "POST",
|
|
119
119
|
"input_schema": {
|
|
120
120
|
"type": "object",
|
|
@@ -124,7 +124,7 @@ export const TOOLS = [
|
|
|
124
124
|
{
|
|
125
125
|
"name": "dep-risk-summary",
|
|
126
126
|
"http_name": "dep-risk-summary",
|
|
127
|
-
"description": "(0.03 USDC/call)
|
|
127
|
+
"description": "(0.03 USDC/call) Scores dependency risk for a whole repo from its manifests and lockfiles. Best-effort scan of package.json, pnpm-lock.yaml, package-lock.json, yarn.lock, bun.lock (JS); requirements.txt, pyproject.toml, poetry.lock (Python); go.mod, go.sum (Go). Samples 10 alphabetically-first direct deps via npm/PyPI registry for deprecation + install-script signals. Returns 0-100 score, per-finding kind/severity/path/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} or {files: [{path, content}, ...]}. Use it as a package.json + lockfile vetter, unpinned dep detector, transitive dep counter, requirements.txt audit, pyproject dep risk check, deprecated dep detector, install-script dep detector, or Snyk-adjacent repo-level supply-chain risk score.",
|
|
128
128
|
"method": "POST",
|
|
129
129
|
"input_schema": {
|
|
130
130
|
"type": "object",
|
|
@@ -134,7 +134,7 @@ export const TOOLS = [
|
|
|
134
134
|
{
|
|
135
135
|
"name": "deploy-config-risk",
|
|
136
136
|
"http_name": "deploy-config-risk",
|
|
137
|
-
"description": "(0.02 USDC/call)
|
|
137
|
+
"description": "(0.02 USDC/call) Audits deploy configuration files for production risks. Fetches Dockerfile, wrangler.toml, vercel.json, netlify.toml, fly.toml, docker-compose.yml, and serverless.yml and flags open CORS with credentials, exposed admin ports (22/5432/6379/etc), plaintext secrets in inline env, dev/debug mode left enabled, and missing healthchecks. Returns 0-100 score, per-finding kind/severity/path/line/redacted-evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, ...]} for private / agent-workspace use. Use it as a Dockerfile lint, vercel.json hardening pass, wrangler.toml review, docker-compose.yml safety check, fly.toml secrets check, netlify deploy gate, open CORS detector, exposed admin port detector, plaintext-secret-in-env detector, or production-readiness deploy gate.",
|
|
138
138
|
"method": "POST",
|
|
139
139
|
"input_schema": {
|
|
140
140
|
"type": "object",
|
|
@@ -161,7 +161,7 @@ export const TOOLS = [
|
|
|
161
161
|
{
|
|
162
162
|
"name": "package-risk-npm",
|
|
163
163
|
"http_name": "package-risk-npm",
|
|
164
|
-
"description": "(0.03 USDC/call)
|
|
164
|
+
"description": "(0.03 USDC/call) Scores supply-chain risk for an npm package before you install it. Pulls registry metadata + download stats for the package (and optional version) and checks maintainer count, weekly downloads, install / postinstall script hooks, dependency tree depth, deprecation flag, package age, last-publish recency, and edit-distance to popular package names (typosquat). Returns a 0-10 score, risk_level bucket, contributing factors, typosquat candidate list, and a Venice plain-English summary. Use it as an npm supply-chain scanner, typosquat detector, postinstall-script flagger, npm install pre-flight audit, package.json + pnpm-lock.yaml vetter, or Snyk-adjacent / Socket.dev-adjacent pre-install safety gate.",
|
|
165
165
|
"method": "POST",
|
|
166
166
|
"input_schema": {
|
|
167
167
|
"type": "object",
|
|
@@ -183,7 +183,7 @@ export const TOOLS = [
|
|
|
183
183
|
{
|
|
184
184
|
"name": "production-readiness-score",
|
|
185
185
|
"http_name": "production-readiness-score",
|
|
186
|
-
"description": "(0.10 USDC/call) production readiness
|
|
186
|
+
"description": "(0.10 USDC/call) Scores production readiness for a repo in one call, aggregating the Prooflayer cluster. Calls all 5 component scanners (secrets-exposure-check, deploy-config-risk, db-migration-risk, dep-risk-summary, prompt-injection-surface) in parallel in-process and rolls findings into a weighted composite score (default weights: secrets 0.30, migrations 0.20, deps 0.20, deploy 0.15, prompt 0.15). Returns composite 0-100, production_grade (production-ready | needs-review | risky | do-not-ship), per-component sub-scores, top-N deduped findings sorted by severity + score_contribution, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} or {files: [{path, content}, ...]}. Optional 'weights' override (each in [0,0.5], proportionally normalized) and 'max_findings' (default 10, cap 50). Use it as an AI app deploy gate, repo prod-risk composite, one-call audit, unified production readiness API, or vibe-coded app safety scan.",
|
|
187
187
|
"method": "POST",
|
|
188
188
|
"input_schema": {
|
|
189
189
|
"type": "object",
|
|
@@ -193,7 +193,7 @@ export const TOOLS = [
|
|
|
193
193
|
{
|
|
194
194
|
"name": "prompt-injection-surface",
|
|
195
195
|
"http_name": "prompt-injection-surface",
|
|
196
|
-
"description": "(0.03 USDC/call) AI prompt injection
|
|
196
|
+
"description": "(0.03 USDC/call) Scans AI app source code for prompt injection risk at LLM call sites. Walks .ts/.tsx/.js/.jsx/.py/.mjs/.cjs source files, locates LLM SDK call sites (anthropic, openai, @ai-sdk/*, google generative), and flags user input flowing into prompts without sanitization, calls without max_tokens caps, system/user prompt mixing, and LLM output used unvalidated in fetch/exec/eval. Returns 0-100 score, per-finding kind/severity/path/line/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} (tree-walk, capped 500 files) or {files: [{path, content}, ...]}. Use it as an LLM call-site audit, unsanitized-user-input-in-prompts detector, system-message mixing flag, unbounded completion detector, AI app safety scan, or pre-deploy AI risk gate.",
|
|
197
197
|
"method": "POST",
|
|
198
198
|
"input_schema": {
|
|
199
199
|
"type": "object",
|
|
@@ -203,7 +203,7 @@ export const TOOLS = [
|
|
|
203
203
|
{
|
|
204
204
|
"name": "pypi-package-risk",
|
|
205
205
|
"http_name": "pypi-package-risk",
|
|
206
|
-
"description": "(0.01 USDC/call)
|
|
206
|
+
"description": "(0.01 USDC/call) Scores the supply-chain risk of a PyPI package before you install it. Pulls metadata + release history from pypi.org for a package (and optional version), evaluating age, recent download volume, maintainer count, post-install hook presence, dependency depth, deprecation flags, last-update recency, and string-distance to popular packages (typosquat). Returns a numeric score (0-10), risk_level bucket, contributing factor list, and an AI-written plain-English risk summary from Venice. Use it as a Python supply-chain scanner, pip dependency vetter, typosquat detector, pre-install audit, Python-package safety check, pyproject.toml / requirements.txt vetter, or poetry + uv pre-install gate.",
|
|
207
207
|
"method": "POST",
|
|
208
208
|
"input_schema": {
|
|
209
209
|
"type": "object",
|
|
@@ -225,7 +225,7 @@ export const TOOLS = [
|
|
|
225
225
|
{
|
|
226
226
|
"name": "secrets-exposure-check",
|
|
227
227
|
"http_name": "secrets-exposure-check",
|
|
228
|
-
"description": "(0.02 USDC/call)
|
|
228
|
+
"description": "(0.02 USDC/call) Scans project config files for hardcoded secrets before you deploy. Fetches top-level config files (.env*, wrangler.toml, vercel.json, next.config.*, package.json, etc.) and scans for hardcoded AWS/OpenAI/Anthropic/Stripe/GitHub keys, private keys, DB URLs with passwords, JWT secrets, weak values in .env.example, and server-only env vars accidentally exposed via NEXT_PUBLIC_. Returns 0-100 score, per-finding kind/severity/path/line/redacted-evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, ...]} for private / agent-workspace use. Use it as a secrets exposure scan, hardcoded API key detector, .env-committed-key audit, Next.js client env leak detector, or pre-deploy secret gate.",
|
|
229
229
|
"method": "POST",
|
|
230
230
|
"input_schema": {
|
|
231
231
|
"type": "object",
|
|
@@ -235,7 +235,7 @@ export const TOOLS = [
|
|
|
235
235
|
{
|
|
236
236
|
"name": "vendor-questionnaire-draft",
|
|
237
237
|
"http_name": "vendor-questionnaire-draft",
|
|
238
|
-
"description": "(0.08 USDC/call)
|
|
238
|
+
"description": "(0.08 USDC/call) Drafts vendor security questionnaire answers from evidence you supply. Takes questionnaire text plus evidence snippets and drafts only evidence-supported answers; unsupported questions are marked needs_evidence instead of invented. Useful for founders and agents answering customer security reviews without leaking private repo data or making unsupported compliance claims. Use it as a security questionnaire answerer, SOC 2 evidence answer helper, or vendor due diligence response builder.",
|
|
239
239
|
"method": "POST",
|
|
240
240
|
"input_schema": {
|
|
241
241
|
"type": "object",
|
package/package.json
CHANGED