agent-security-lens 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (81) hide show
  1. package/.env.example +10 -0
  2. package/.mcp/server.json +42 -0
  3. package/CHANGELOG.md +17 -0
  4. package/LICENSE +17 -0
  5. package/PRIVACY.md +37 -0
  6. package/README.md +150 -0
  7. package/RELEASE-MANIFEST.json +449 -0
  8. package/SECURITY.md +24 -0
  9. package/apps/mcp-server/agent-security-lens-mcp.mjs +441 -0
  10. package/bin/agent-security-lens.mjs +117 -0
  11. package/data/ecosystems/agent-candidates.json +230 -0
  12. package/data/intelligence/components.json +22989 -0
  13. package/data/intelligence/security-evaluation-standard.json +221 -0
  14. package/data/recommendations/core/recommendations.json +256 -0
  15. package/data/trust/signal-taxonomy.json +107 -0
  16. package/docs/asl-agent-component-safety-standard-v0.2.md +56 -0
  17. package/examples/dot-hermes/.hermes/config.json +17 -0
  18. package/examples/dot-openclaw/.openclaw/openclaw.json +17 -0
  19. package/examples/hermes-like/.env.example +2 -0
  20. package/examples/hermes-like/config.json +37 -0
  21. package/examples/hermes-like/optional-mcps/github-tools.json +8 -0
  22. package/examples/hermes-like/skills/openclaw-imports/browser-skill/SKILL.md +8 -0
  23. package/examples/openclaw-like/.env.example +2 -0
  24. package/examples/openclaw-like/AGENTS.md +7 -0
  25. package/examples/openclaw-like/openclaw.json +28 -0
  26. package/examples/openclaw-like/workspace/skills/browser-control/SKILL.md +8 -0
  27. package/llms.txt +25 -0
  28. package/package.json +50 -0
  29. package/profiles/generic-agent/profile.json +19 -0
  30. package/profiles/hermes-like/profile.json +23 -0
  31. package/profiles/mcp-server/profile.json +18 -0
  32. package/profiles/openclaw-like/profile.json +22 -0
  33. package/profiles/skill-runtime/profile.json +19 -0
  34. package/rule-packs/core/rules.json +82 -0
  35. package/rule-packs/hermes/rules.json +44 -0
  36. package/rule-packs/mcp/rules.json +65 -0
  37. package/rule-packs/openclaw/rules.json +46 -0
  38. package/rule-packs/skills/rules.json +45 -0
  39. package/schemas/agent-install-decision.schema.json +432 -0
  40. package/schemas/agent-usage-event.schema.json +45 -0
  41. package/schemas/assessment-result.schema.json +361 -0
  42. package/schemas/comparison-result.schema.json +113 -0
  43. package/schemas/component-alternative-graph.schema.json +187 -0
  44. package/schemas/component-intelligence.schema.json +93 -0
  45. package/schemas/decision-feedback.schema.json +49 -0
  46. package/schemas/ecosystem-candidate-registry.schema.json +98 -0
  47. package/schemas/profile.schema.json +65 -0
  48. package/schemas/recommendation-pack.schema.json +114 -0
  49. package/schemas/rule-pack.schema.json +113 -0
  50. package/schemas/trust-signal-taxonomy.schema.json +68 -0
  51. package/scripts/verify-examples.mjs +121 -0
  52. package/scripts/verify-mcp-server.mjs +278 -0
  53. package/scripts/verify-registry.mjs +264 -0
  54. package/server.json +42 -0
  55. package/src/assessment/assess.mjs +108 -0
  56. package/src/assessment/discover-targets.mjs +127 -0
  57. package/src/assessment/risk-domains.mjs +83 -0
  58. package/src/assessment/summarize.mjs +57 -0
  59. package/src/core/files.mjs +74 -0
  60. package/src/intelligence/cloud-client.mjs +260 -0
  61. package/src/intelligence/component-intelligence.mjs +358 -0
  62. package/src/intelligence/decision-engine.mjs +772 -0
  63. package/src/intelligence/finding-context.mjs +180 -0
  64. package/src/intelligence/safety-score-v0.2.mjs +294 -0
  65. package/src/observations/json-observations.mjs +211 -0
  66. package/src/observations/observation-rules.mjs +157 -0
  67. package/src/profiles/load-profiles.mjs +130 -0
  68. package/src/recommendations/component-alternative-graph.mjs +94 -0
  69. package/src/recommendations/load-recommendations.mjs +17 -0
  70. package/src/recommendations/match-recommendations.mjs +79 -0
  71. package/src/report/comparison-console.mjs +71 -0
  72. package/src/report/console.mjs +103 -0
  73. package/src/report/markdown.mjs +145 -0
  74. package/src/results/compare-results.mjs +106 -0
  75. package/src/results/save-result.mjs +29 -0
  76. package/src/rules/load-rules.mjs +22 -0
  77. package/src/rules/match-rules.mjs +99 -0
  78. package/src/rules/supersedes.mjs +39 -0
  79. package/src/store/assessment-store.mjs +78 -0
  80. package/src/trust/derive-trust-signals.mjs +73 -0
  81. package/src/trust/load-trust-signals.mjs +17 -0
package/data/ecosystems/agent-candidates.json ADDED
@@ -0,0 +1,230 @@
1
+ {
2
+ "id": "agent-ecosystem-candidates",
3
+ "version": "0.1.0",
4
+ "status": "draft",
5
+ "candidates": [
6
+ {
7
+ "id": "openclaw",
8
+ "name": "OpenClaw",
9
+ "entity_type": "agent-ecosystem",
10
+ "lifecycle_status": "draft-profile",
11
+ "claim_status": "research-needed",
12
+ "priority": 100,
13
+ "regions": ["global"],
14
+ "why_candidate": [
15
+ "OpenClaw exposes a broad autonomous-agent surface with Skills, MCP integrations and remote channels.",
16
+ "An OpenClaw-like profile and validation fixtures are available."
17
+ ],
18
+ "known_or_expected_artifacts": [
19
+ ".openclaw/openclaw.json",
20
+ "openclaw.json",
21
+ "SOUL.md",
22
+ "TOOLS.md",
23
+ "workspace/skills",
24
+ "MCP server configuration",
25
+ "remote channel configuration"
26
+ ],
27
+ "data_needs": [
28
+ {
29
+ "id": "usage-signals",
30
+ "description": "Collect repository, registry and public community activity signals.",
31
+ "status": "needed"
32
+ },
33
+ {
34
+ "id": "github-signals",
35
+ "description": "Collect repository URL, stars, forks, release history, issue activity and maintainer signals.",
36
+ "status": "needed"
37
+ },
38
+ {
39
+ "id": "skills-mcp-inventory",
40
+ "description": "Inventory common OpenClaw skills, MCP integrations and install paths.",
41
+ "status": "needed"
42
+ }
43
+ ],
44
+ "profile_impacts": [
45
+ "Refine OpenClaw path hints.",
46
+ "Add product-specific remote trigger rules.",
47
+ "Add common OpenClaw skill and MCP replacement recommendations."
48
+ ],
49
+ "notes": [
50
+ "Popularity and safety conclusions require reproducible evidence."
51
+ ]
52
+ },
53
+ {
54
+ "id": "hermes-agent",
55
+ "name": "Hermes Agent",
56
+ "entity_type": "agent-ecosystem",
57
+ "lifecycle_status": "draft-profile",
58
+ "claim_status": "research-needed",
59
+ "priority": 95,
60
+ "regions": ["global"],
61
+ "why_candidate": [
62
+ "Hermes Agent includes optional MCPs, Skills, gateways, scheduled tasks and memory surfaces.",
63
+ "A Hermes-like profile and validation fixtures are available."
64
+ ],
65
+ "known_or_expected_artifacts": [
66
+ ".hermes/config.json",
67
+ ".hermes/config.yaml",
68
+ "optional-mcps",
69
+ "optional-skills",
70
+ "gateway",
71
+ "cron",
72
+ "memory",
73
+ "skills/openclaw-imports"
74
+ ],
75
+ "data_needs": [
76
+ {
77
+ "id": "usage-signals",
78
+ "description": "Collect repository, registry and public community activity signals.",
79
+ "status": "needed"
80
+ },
81
+ {
82
+ "id": "github-signals",
83
+ "description": "Collect repository URL, stars, forks, release history, issue activity and maintainer signals.",
84
+ "status": "needed"
85
+ },
86
+ {
87
+ "id": "architecture-review",
88
+ "description": "Read public Hermes Agent architecture and identify product-specific config paths and risky behaviors.",
89
+ "status": "needed"
90
+ }
91
+ ],
92
+ "profile_impacts": [
93
+ "Refine Hermes path hints.",
94
+ "Add migration-specific rules for imported skills and memories.",
95
+ "Add gateway and scheduled task recommendations."
96
+ ],
97
+ "notes": [
98
+ "The current Hermes-like profile is intentionally conservative and marked draft."
99
+ ]
100
+ },
101
+ {
102
+ "id": "openmanus",
103
+ "name": "OpenManus",
104
+ "entity_type": "agent-ecosystem",
105
+ "lifecycle_status": "candidate",
106
+ "claim_status": "research-needed",
107
+ "priority": 80,
108
+ "regions": ["global"],
109
+ "why_candidate": [
110
+ "OpenManus is part of the broader open autonomous-agent landscape.",
111
+ "May represent a different architecture from OpenClaw-like and Hermes-like environments."
112
+ ],
113
+ "known_or_expected_artifacts": [
114
+ "agent configuration",
115
+ "tool configuration",
116
+ "MCP or plugin integration",
117
+ "prompt and memory files"
118
+ ],
119
+ "data_needs": [
120
+ {
121
+ "id": "source-identification",
122
+ "description": "Identify canonical repository, docs and install methods.",
123
+ "status": "needed"
124
+ },
125
+ {
126
+ "id": "usage-signals",
127
+ "description": "Collect GitHub, search and community activity signals.",
128
+ "status": "needed"
129
+ },
130
+ {
131
+ "id": "artifact-map",
132
+ "description": "Map config paths, skill paths, tool registry paths and execution behavior.",
133
+ "status": "needed"
134
+ }
135
+ ],
136
+ "profile_impacts": [
137
+ "Decide whether OpenManus needs a dedicated profile or can use generic-agent plus MCP and skill profiles."
138
+ ],
139
+ "notes": [
140
+ "No popularity or safety conclusion has been recorded yet."
141
+ ]
142
+ },
143
+ {
144
+ "id": "lobster-like",
145
+ "name": "Lobster-like Agent Ecosystem",
146
+ "entity_type": "agent-ecosystem",
147
+ "lifecycle_status": "candidate",
148
+ "claim_status": "research-needed",
149
+ "priority": 70,
150
+ "regions": ["global"],
151
+ "why_candidate": [
152
+ "This ecosystem represents autonomous agents with Skills and MCP-style integrations.",
153
+ "Useful for checking whether the architecture generalizes beyond OpenClaw and Hermes."
154
+ ],
155
+ "known_or_expected_artifacts": [
156
+ "skills",
157
+ "browser tool configuration",
158
+ "MCP configuration",
159
+ "automation or background run configuration"
160
+ ],
161
+ "data_needs": [
162
+ {
163
+ "id": "source-identification",
164
+ "description": "Identify canonical repositories, docs and common install paths.",
165
+ "status": "needed"
166
+ },
167
+ {
168
+ "id": "skills-inventory",
169
+ "description": "Inventory common skills, browser tools and MCP resources.",
170
+ "status": "needed"
171
+ },
172
+ {
173
+ "id": "competitor-overlap",
174
+ "description": "Check whether existing security or guard tools already target this ecosystem.",
175
+ "status": "needed"
176
+ }
177
+ ],
178
+ "profile_impacts": [
179
+ "Use research findings to decide whether a lobster-like profile is warranted for Phase 1."
180
+ ],
181
+ "notes": [
182
+ "This candidate should not be prioritized only because it is structurally convenient."
183
+ ]
184
+ },
185
+ {
186
+ "id": "mcp-registry-ecosystem",
187
+ "name": "MCP Registry Ecosystem",
188
+ "entity_type": "mcp-ecosystem",
189
+ "lifecycle_status": "candidate",
190
+ "claim_status": "research-needed",
191
+ "priority": 90,
192
+ "regions": ["global"],
193
+ "why_candidate": [
194
+ "MCP integrations are a cross-agent risk and recommendation surface.",
195
+ "A reusable MCP reputation layer can benefit multiple agent profiles."
196
+ ],
197
+ "known_or_expected_artifacts": [
198
+ "MCP server manifests",
199
+ "tool schemas",
200
+ "transport configuration",
201
+ "stdio command configuration",
202
+ "remote endpoint configuration"
203
+ ],
204
+ "data_needs": [
205
+ {
206
+ "id": "mcp-source-list",
207
+ "description": "Identify public MCP registries, common MCP server lists and high-usage MCP repositories.",
208
+ "status": "needed"
209
+ },
210
+ {
211
+ "id": "permission-taxonomy",
212
+ "description": "Classify MCP tools into filesystem, shell, browser, network, credential and database access.",
213
+ "status": "needed"
214
+ },
215
+ {
216
+ "id": "replacement-map",
217
+ "description": "Map risky MCP patterns to safer local, pinned or read-only alternatives.",
218
+ "status": "needed"
219
+ }
220
+ ],
221
+ "profile_impacts": [
222
+ "Feed all agent profiles with shared MCP rules and recommendations.",
223
+ "Create MCP-specific reputation and replacement data."
224
+ ],
225
+ "notes": [
226
+ "This is likely a shared layer rather than a single-agent profile."
227
+ ]
228
+ }
229
+ ]
230
+ }