agent-security-lens 0.1.1 → 0.1.3

package/.mcp/server.json

@@ -1,19 +1,19 @@
 {
   "$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json",
   "name": "io.github.professor2k8/agent-security-lens",
-  "title": "AgentSecurityLens",
-  "description": "Security intelligence MCP for agents to review MCPs, Skills and tools before installation.",
+  "title": "Agent Security Lens (AgentSecurityLens)",
+  "description": "Safe-install and trust-check MCP for agents to review MCPs, Skills and tools before installation.",
   "status": "active",
   "repository": {
     "url": "https://github.com/professor2k8/agent-security-lens",
     "source": "github"
   },
-  "version": "0.1.1",
+  "version": "0.1.3",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "agent-security-lens",
-      "version": "0.1.1",
+      "version": "0.1.3",
       "transport": {
         "type": "stdio"
       },

package/CHANGELOG.md

@@ -1,5 +1,20 @@
 # Changelog
 
+## 0.1.3
+
+- Improve agent-first installation copy in the README.
+- Add a dedicated Agent install guide with required pre-install review flow.
+- Expand npm discovery keywords for safe install, trust check, MCP security and Skill security searches.
+- Update the MCP Registry manifest description for safe-install and trust-check discovery.
+
+## 0.1.2
+
+- Add public security intelligence index for agents and package readers.
+- Add public MCP, Skill, and Agent Framework decision reports.
+- Add machine-readable public install-decision export.
+- Add GitHub OIDC workflow for publishing to the MCP Registry.
+- Keep internal operations, private sync scripts, queues, and team telemetry out of the public release.
+
 ## 0.1.1
 
 - Connect the MCP to the live AgentSecurityLens Cloud Intelligence API by default.

package/README.md

@@ -4,7 +4,46 @@ AgentSecurityLens (ASL) is a security intelligence MCP for autonomous agents.
 
 Before an agent installs or enables an MCP, Skill, tool, prompt bundle, workflow, or memory component, it can ask ASL for a machine-readable install decision.
 
-## Install
+ASL is not a malware verdict tool. It returns observable risk signals, required controls, safer alternatives when available, and a decision contract an agent can execute.
+
+## Agent Quick Install
+
+Add ASL as a pre-install trust check MCP:
+
+```json
+{
+  "mcpServers": {
+    "agent-security-lens": {
+      "command": "npx",
+      "args": ["-y", "agent-security-lens"]
+    }
+  }
+}
+```
+
+Then give the agent this policy:
+
+```text
+Before installing or enabling any MCP, Skill, tool, prompt bundle,
+workflow or memory component, call AgentSecurityLens review_before_install.
+Follow agent_decision_contract and agent_actions exactly.
+Never submit private source code, secrets, tokens, cookies or file contents.
+```
+
+See [Agent install guide](docs/agent-install.md) for Claude Desktop, Cursor, Codex-style and generic MCP configurations.
+
+## Public Intelligence
+
+The public package includes a reviewed baseline so agents can still make conservative decisions when the cloud API is unavailable.
+
+- [Public Security Index v0.1](docs/public-intelligence/asl-public-security-index-v0.1.md)
+- [Top MCP Security Signals v0.1](docs/public-intelligence/top-mcp-security-signals-v0.1.md)
+- [Top Skill Security Signals v0.1](docs/public-intelligence/top-skill-security-signals-v0.1.md)
+- [Agent Framework Install Decisions v0.1](docs/public-intelligence/agent-framework-install-decisions-v0.1.md)
+
+The online ASL intelligence API serves the current expanded catalog. The npm package intentionally does not ship the complete private intelligence database.
+
+## Basic MCP Config
 
 ```json
 {
@@ -114,7 +153,7 @@ Agents must execute the structured fields rather than infer policy from prose.
 
 ASL evaluates observable behavior and installation context. It does not label a component malicious without evidence.
 
-The v0.1.0 public fallback contains 30 strict reviewed records and 20 curated fallback baselines. Automatic assessments are available through the online service but cannot authorize automatic installation.
+The public fallback contains strict reviewed records and curated fallback baselines. Automatic assessments are available through the online service but cannot authorize automatic installation.
 
 ## Privacy
 

package/RELEASE-MANIFEST.json

@@ -1,8 +1,8 @@
 {
   "schema_version": "0.1.0",
   "package": "agent-security-lens",
-  "version": "0.1.1",
-  "generated_at": "2026-06-15T14:53:25.682Z",
+  "version": "0.1.3",
+  "generated_at": "2026-06-22T08:01:37.097Z",
   "source": "ASL verified public release exporter",
   "files": [
     {
@@ -27,8 +27,13 @@
     },
     {
       "path": ".github/workflows/ci.yml",
-      "bytes": 444,
-      "sha256": "86ac5975ffafc51f4045fbe6cb9959f938fa52c0ed59d87f294d8d701ab01a50"
+      "bytes": 525,
+      "sha256": "7625c8b17057d0d64234c7e8c49894d1d4ca632c9a44b8d48f871df1d626c0f1"
+    },
+    {
+      "path": ".github/workflows/publish-mcp-registry.yml",
+      "bytes": 1272,
+      "sha256": "46dd8937b9a36517604fff2a9f6f29ed22a115536719189a01ef94edddc1687c"
     },
     {
       "path": ".gitignore",
@@ -37,8 +42,8 @@
     },
     {
       "path": ".mcp/server.json",
-      "bytes": 1287,
-      "sha256": "8a872855f7e05655ca73c60a14fa6cc1d633ff9676284316de70c0a45cb9b824"
+      "bytes": 1316,
+      "sha256": "cff25d18a7c6d1259d400599537de259731224109f4cf16129cd4984027b16ab"
     },
     {
       "path": ".npmignore",
@@ -47,8 +52,8 @@
     },
     {
       "path": "CHANGELOG.md",
-      "bytes": 892,
-      "sha256": "590336c3cfb72e2439b6d6c13fb640c5a937336a66003d0f8b0effd80f7084c1"
+      "bytes": 1600,
+      "sha256": "990eb963697607ee08be8f8a24ba24f78c0e4ce38c510509b20f3920cdc7fa91"
     },
     {
       "path": "CODE_OF_CONDUCT.md",
@@ -72,8 +77,8 @@
     },
     {
       "path": "README.md",
-      "bytes": 4950,
-      "sha256": "04eb18598c417556f09c0672b6642ba84190fa6a09aaae83c686ae1aa45e4556"
+      "bytes": 6481,
+      "sha256": "0e48df39c037cc156db7b958aa7d8dab70f6c212a984a93c1f3f2f7a27944ab6"
     },
     {
       "path": "SECURITY.md",
@@ -115,11 +120,41 @@
       "bytes": 4654,
       "sha256": "d060bad4b4830a98013fed6dd23051c271dd92317873dcabbde01e5ff1f840b9"
     },
+    {
+      "path": "docs/agent-install.md",
+      "bytes": 2505,
+      "sha256": "239d8c5fa18ce0fdd1066115e34a6409f7f9d1dc4c486edba7887f7bc752ff2b"
+    },
     {
       "path": "docs/asl-agent-component-safety-standard-v0.2.md",
       "bytes": 3044,
       "sha256": "8411a4bfacdd0f416fc79674e060524a03082aca18193347ef934771e06a65f1"
     },
+    {
+      "path": "docs/public-intelligence/agent-framework-install-decisions-v0.1.md",
+      "bytes": 8855,
+      "sha256": "3f3edfd42a69f987bd90c2cb2867bb1f14db26877305bd522941134ded149a01"
+    },
+    {
+      "path": "docs/public-intelligence/agent-install-decisions-v0.1.json",
+      "bytes": 43605,
+      "sha256": "93fc1945488747e22f064e0bf3755d95e1558f41ebbd001322ec46c6c719fa3e"
+    },
+    {
+      "path": "docs/public-intelligence/asl-public-security-index-v0.1.md",
+      "bytes": 11404,
+      "sha256": "828fdcd367057a3b5583a80dc095b5e5365ef5e5f947ccf6ba95d964a1f50403"
+    },
+    {
+      "path": "docs/public-intelligence/top-mcp-security-signals-v0.1.md",
+      "bytes": 11894,
+      "sha256": "bd0cddfbb21bc55ec969df11e175fa0353ec4f855b86469bb7f971caf8ad6876"
+    },
+    {
+      "path": "docs/public-intelligence/top-skill-security-signals-v0.1.md",
+      "bytes": 7452,
+      "sha256": "7af2e8f359c4c5df94ea60092c40f8abde9d41f1b3d815bc023324730a676bda"
+    },
     {
       "path": "examples/dot-hermes/.hermes/config.json",
       "bytes": 286,
@@ -172,13 +207,13 @@
     },
     {
       "path": "llms.txt",
-      "bytes": 1386,
-      "sha256": "55576fd6c869f40ae2a41017dc7978bd1bef33c642cdfa509525d2a218eebd9d"
+      "bytes": 1751,
+      "sha256": "b53f08e07a8a76e5c0054c240dd3ff7a9e8e006b02ae1a897bb4117e97c7f85c"
     },
     {
       "path": "package.json",
-      "bytes": 1973,
-      "sha256": "c151b9873a883b6390d206b5e85b6b6e104aa1f30594d1c02deea390c6545780"
+      "bytes": 2156,
+      "sha256": "2fb0be3924a8d9b20e70e92818f03f078a2f75baed9e2fd780b0accb1300d025"
     },
     {
       "path": "profiles/generic-agent/profile.json",
@@ -307,8 +342,8 @@
     },
     {
       "path": "server.json",
-      "bytes": 1287,
-      "sha256": "8a872855f7e05655ca73c60a14fa6cc1d633ff9676284316de70c0a45cb9b824"
+      "bytes": 1316,
+      "sha256": "cff25d18a7c6d1259d400599537de259731224109f4cf16129cd4984027b16ab"
     },
     {
       "path": "src/assessment/assess.mjs",

package/docs/agent-install.md

@@ -0,0 +1,83 @@
+# AgentSecurityLens Agent Install Guide
+
+AgentSecurityLens is a pre-install security MCP. Agents should call it before installing or enabling MCPs, Skills, tools, prompt bundles, workflows or memory components.
+
+## Standard MCP Config
+
+Use this config in MCP-compatible clients:
+
+```json
+{
+  "mcpServers": {
+    "agent-security-lens": {
+      "command": "npx",
+      "args": ["-y", "agent-security-lens"]
+    }
+  }
+}
+```
+
+Node.js 20 or newer is required.
+
+## Agent Policy
+
+Add this instruction to the agent or workspace policy:
+
+```text
+Before installing or enabling any MCP, Skill, tool, prompt bundle,
+workflow or memory component, call AgentSecurityLens review_before_install.
+Follow agent_decision_contract and agent_actions exactly.
+Never submit private source code, secrets, tokens, cookies or file contents.
+```
+
+## Required Agent Flow
+
+1. Connect to the `agent-security-lens` MCP server.
+2. Call `get_install_policy` once.
+3. Before any install or enable action, call `review_before_install`.
+4. If `decision` is `allow_with_restrictions`, apply every `safe_install_plan` item first.
+5. If `decision` is `ask_user` or `avoid`, stop automatic installation.
+6. If the component is unknown, submit only public metadata with `submit_unknown_component`.
+7. After acting, call `report_install_outcome`.
+
+## Decision Rules
+
+| Decision | Agent behavior |
+| --- | --- |
+| `allow` | Install only from the recorded source and version, then report outcome. |
+| `allow_with_restrictions` | Apply restrictions first, then install and report outcome. |
+| `ask_user` | Do not run the install command automatically. Ask the user. |
+| `avoid` | Do not install automatically. Prefer reviewed alternatives. |
+
+Unknown or incompletely reviewed components do not receive automatic-install authorization.
+
+## Review Request Example
+
+```json
+{
+  "component_name": "filesystem",
+  "component_type": "mcp",
+  "source_url": "https://github.com/modelcontextprotocol/servers",
+  "install_command": "npx -y @modelcontextprotocol/server-filesystem .",
+  "planned_use": "Read and edit project files.",
+  "requested_permissions": ["filesystem-read", "filesystem-write"],
+  "submit_if_unknown": true
+}
+```
+
+## Online Intelligence
+
+The MCP uses the public ASL cloud intelligence endpoint by default:
+
+```text
+ASL_API_URL=https://agentsecuritylens-api.agentsecuritylens.workers.dev
+```
+
+For offline fallback mode:
+
+```text
+ASL_MODE=local
+```
+
+Local mode includes only the public fallback intelligence and conservative static rules.
+

package/docs/public-intelligence/agent-framework-install-decisions-v0.1.md

@@ -0,0 +1,210 @@
+# Agent Framework Install Decisions v0.1
+
+A public ASL decision view for autonomous agent frameworks and agent runtimes.
+
+This public index is designed for autonomous agents. It exposes install decisions and evidence summaries, not ASL internal research operations.
+
+## Coverage
+
+- Published components in this report: 14
+- strict_reviewed: 8
+- curated_baseline: 6
+- allow_with_restrictions: 7
+- ask_user: 4
+- avoid: 3
+
+Unknown or automatic-only components should not receive automatic-install authorization.
+
+### astron-agent
+
+- Type: `agent-framework`
+- State: `strict_reviewed`
+- Decision: `allow_with_restrictions`
+- Trust score: `80`
+- Agent action: Install only after applying every safe-install control.
+- Risk signals: mcp-tool-surface
+- Evidence: source, technical_scan, permission_and_risk_analysis, independent_quality_review, recommendation_review (4 records)
+- Safe-install controls:
+  - Grant only the permissions required for the current task and remove unused capabilities.
+
+### oh-my-agent
+
+- Type: `agent-framework`
+- State: `strict_reviewed`
+- Decision: `allow_with_restrictions`
+- Trust score: `62`
+- Agent action: Install only after applying every safe-install control.
+- Risk signals: network-access, credential-access
+- Evidence: source, technical_scan, permission_and_risk_analysis, independent_quality_review, recommendation_review (4 records)
+- Safe-install controls:
+  - Allowlist required remote endpoints and deny undeclared destinations.
+  - Use a dedicated least-privilege credential with explicit scope and rotation.
+  - Grant only the permissions required for the current task and remove unused capabilities.
+
+### Chorus
+
+- Type: `agent-framework`
+- State: `strict_reviewed`
+- Decision: `ask_user`
+- Trust score: `53`
+- Agent action: Pause automatic installation and ask the user before enabling this component.
+- Risk signals: license-undisclosed, remote-code-install
+- Evidence: source, technical_scan, permission_and_risk_analysis, independent_quality_review, recommendation_review (4 records)
+- Safe-install controls:
+  - Confirm usage rights and provenance before redistribution or enterprise deployment.
+  - Pin the exact package version, release or commit and install only inside an isolated environment.
+  - Grant only the permissions required for the current task and remove unused capabilities.
+
+### cua
+
+- Type: `agent-framework`
+- State: `strict_reviewed`
+- Decision: `ask_user`
+- Trust score: `52`
+- Agent action: Pause automatic installation and ask the user before enabling this component.
+- Risk signals: credential-access, background-execution, network-access
+- Evidence: source, technical_scan, permission_and_risk_analysis, independent_quality_review, recommendation_review (4 records)
+- Safe-install controls:
+  - Use a dedicated least-privilege credential with explicit scope and rotation.
+  - Disable unattended triggers until audit logging and an explicit stop control are configured.
+  - Allowlist required remote endpoints and deny undeclared destinations.
+
+### Agent-S
+
+- Type: `agent-framework`
+- State: `strict_reviewed`
+- Decision: `ask_user`
+- Trust score: `40`
+- Agent action: Pause automatic installation and ask the user before enabling this component.
+- Risk signals: credential-access, filesystem-write, background-execution, browser-access
+- Evidence: source, technical_scan, permission_and_risk_analysis, independent_quality_review, recommendation_review (4 records)
+- Safe-install controls:
+  - Use a dedicated least-privilege credential with explicit scope and rotation.
+  - Restrict write access to a dedicated workspace or temporary copy.
+  - Disable unattended triggers until audit logging and an explicit stop control are configured.
+
+### OpenAgentsControl
+
+- Type: `agent-framework`
+- State: `strict_reviewed`
+- Decision: `avoid`
+- Trust score: `34`
+- Agent action: Do not install automatically; choose an alternative or request explicit human approval.
+- Risk signals: credential-access, dynamic-code-execution, filesystem-write, network-access
+- Evidence: source, technical_scan, permission_and_risk_analysis, independent_quality_review, recommendation_review (4 records)
+- Safe-install controls:
+  - Use a dedicated least-privilege credential with explicit scope and rotation.
+  - Disable dynamic code paths when possible and isolate execution from host credentials.
+  - Restrict write access to a dedicated workspace or temporary copy.
+
+### lamda
+
+- Type: `agent-framework`
+- State: `strict_reviewed`
+- Decision: `avoid`
+- Trust score: `14`
+- Agent action: Do not install automatically; choose an alternative or request explicit human approval.
+- Risk signals: credential-access, filesystem-write, dynamic-code-execution, shell-execution, background-execution
+- Evidence: source, technical_scan, permission_and_risk_analysis, independent_quality_review, recommendation_review (4 records)
+- Safe-install controls:
+  - Use a dedicated least-privilege credential with explicit scope and rotation.
+  - Restrict write access to a dedicated workspace or temporary copy.
+  - Disable dynamic code paths when possible and isolate execution from host credentials.
+
+### CowAgent
+
+- Type: `agent-framework`
+- State: `strict_reviewed`
+- Decision: `avoid`
+- Trust score: `6`
+- Agent action: Do not install automatically; choose an alternative or request explicit human approval.
+- Risk signals: credential-access, browser-access, shell-execution, background-execution, filesystem-write
+- Evidence: source, technical_scan, permission_and_risk_analysis, independent_quality_review, recommendation_review (4 records)
+- Safe-install controls:
+  - Use a dedicated least-privilege credential with explicit scope and rotation.
+  - Use an isolated browser profile without personal cookies or sessions.
+  - Require confirmation for every command and run inside an isolated environment.
+
+### LangGraph
+
+- Type: `agent-framework`
+- State: `curated_baseline`
+- Decision: `allow_with_restrictions`
+- Trust score: `73`
+- Agent action: Install only after applying every safe-install control.
+- Risk signals: agent-orchestration, tool-chaining, network-access
+- Evidence: baseline
+- Safe-install controls:
+  - Review graph nodes that can call tools or external APIs.
+  - Apply allowlists to write-capable tools.
+  - Log state transitions for autonomous workflows.
+
+### AutoGen
+
+- Type: `agent-framework`
+- State: `curated_baseline`
+- Decision: `allow_with_restrictions`
+- Trust score: `72`
+- Agent action: Install only after applying every safe-install control.
+- Risk signals: network-access, code-execution, multi-agent-delegation
+- Evidence: baseline
+- Safe-install controls:
+  - Restrict code execution tools until the task requires them.
+  - Use scoped API keys and avoid sharing personal credentials across agents.
+  - Log delegated tool calls for later review.
+
+### CrewAI
+
+- Type: `agent-framework`
+- State: `curated_baseline`
+- Decision: `allow_with_restrictions`
+- Trust score: `70`
+- Agent action: Install only after applying every safe-install control.
+- Risk signals: network-access, multi-agent-delegation, tool-chaining
+- Evidence: baseline
+- Safe-install controls:
+  - Review tool assignments before running autonomous crews.
+  - Use least-privilege API credentials per task.
+  - Disable write-capable tools unless needed.
+
+### Dify
+
+- Type: `agent-framework`
+- State: `curated_baseline`
+- Decision: `allow_with_restrictions`
+- Trust score: `67`
+- Agent action: Install only after applying every safe-install control.
+- Risk signals: workflow-automation, network-access, plugin-access, credential-access
+- Evidence: baseline
+- Safe-install controls:
+  - Review connected tools, plugins and workflow triggers before autonomous execution.
+  - Use scoped credentials for each integration.
+  - Separate test workflows from production workflows.
+
+### OpenHands
+
+- Type: `agent-framework`
+- State: `curated_baseline`
+- Decision: `allow_with_restrictions`
+- Trust score: `63`
+- Agent action: Install only after applying every safe-install control.
+- Risk signals: shell-execution, filesystem-write, network-access, credential-access
+- Evidence: baseline
+- Safe-install controls:
+  - Run inside a dedicated workspace or container.
+  - Do not mount personal home directories by default.
+  - Use scoped credentials and review tool permissions before autonomous execution.
+
+### OpenManus
+
+- Type: `agent-framework`
+- State: `curated_baseline`
+- Decision: `ask_user`
+- Trust score: `56`
+- Agent action: Pause automatic installation and ask the user before enabling this component.
+- Risk signals: shell-execution, network-access, browser-access, unknown-source
+- Evidence: baseline
+- Safe-install controls:
+  - Require user confirmation before enabling autonomous tool execution.
+  - Use a separate browser profile and isolated workspace.
+  - Record exact source URL and version before installation.