agent-security-lens 0.1.1 → 0.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.mcp/server.json +4 -4
- package/CHANGELOG.md +15 -0
- package/README.md +41 -2
- package/RELEASE-MANIFEST.json +51 -16
- package/docs/agent-install.md +83 -0
- package/docs/public-intelligence/agent-framework-install-decisions-v0.1.md +210 -0
- package/docs/public-intelligence/agent-install-decisions-v0.1.json +1154 -0
- package/docs/public-intelligence/asl-public-security-index-v0.1.md +90 -0
- package/docs/public-intelligence/top-mcp-security-signals-v0.1.md +278 -0
- package/docs/public-intelligence/top-skill-security-signals-v0.1.md +167 -0
- package/llms.txt +8 -0
- package/package.json +17 -8
- package/server.json +4 -4
|
@@ -0,0 +1,1154 @@
|
|
|
1
|
+
{
|
|
2
|
+
"schema_version": "0.1.0",
|
|
3
|
+
"generated_at": "2026-06-21T15:22:36.805Z",
|
|
4
|
+
"standard_id": "asl-agent-component-safety-standard",
|
|
5
|
+
"model_version": "asl-safety-standard@0.2.0",
|
|
6
|
+
"components": [
|
|
7
|
+
{
|
|
8
|
+
"id": "reviewed-agent-framework-astron-agent",
|
|
9
|
+
"name": "astron-agent",
|
|
10
|
+
"type": "agent-framework",
|
|
11
|
+
"source_url": "https://github.com/iflytek/astron-agent",
|
|
12
|
+
"intelligence_state": "strict_reviewed",
|
|
13
|
+
"trust_score": 80,
|
|
14
|
+
"decision": "allow_with_restrictions",
|
|
15
|
+
"risk_signals": [
|
|
16
|
+
"mcp-tool-surface"
|
|
17
|
+
],
|
|
18
|
+
"safe_install_plan": [
|
|
19
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
20
|
+
],
|
|
21
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
22
|
+
"alternatives": [
|
|
23
|
+
"Chorus",
|
|
24
|
+
"CowAgent"
|
|
25
|
+
]
|
|
26
|
+
},
|
|
27
|
+
{
|
|
28
|
+
"id": "reviewed-skill-azure-containerregistry-py",
|
|
29
|
+
"name": "azure-containerregistry-py",
|
|
30
|
+
"type": "skill",
|
|
31
|
+
"source_url": "https://github.com/microsoft/skills/blob/main/.github/plugins/azure-sdk-python/skills/azure-containerregistry-py/SKILL.md",
|
|
32
|
+
"intelligence_state": "strict_reviewed",
|
|
33
|
+
"trust_score": 74,
|
|
34
|
+
"decision": "allow_with_restrictions",
|
|
35
|
+
"risk_signals": [
|
|
36
|
+
"credential-access"
|
|
37
|
+
],
|
|
38
|
+
"safe_install_plan": [
|
|
39
|
+
"Use a dedicated least-privilege credential with explicit scope and rotation.",
|
|
40
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
41
|
+
],
|
|
42
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
43
|
+
"alternatives": []
|
|
44
|
+
},
|
|
45
|
+
{
|
|
46
|
+
"id": "reviewed-mcp-gitlab-mcp-server",
|
|
47
|
+
"name": "GitLab MCP Server",
|
|
48
|
+
"type": "mcp",
|
|
49
|
+
"source_url": "https://github.com/jmrplens/gitlab-mcp-server",
|
|
50
|
+
"intelligence_state": "strict_reviewed",
|
|
51
|
+
"trust_score": 69,
|
|
52
|
+
"decision": "allow_with_restrictions",
|
|
53
|
+
"risk_signals": [
|
|
54
|
+
"background-execution",
|
|
55
|
+
"credential-access"
|
|
56
|
+
],
|
|
57
|
+
"safe_install_plan": [
|
|
58
|
+
"Disable unattended triggers until audit logging and an explicit stop control are configured.",
|
|
59
|
+
"Use a dedicated least-privilege credential with explicit scope and rotation.",
|
|
60
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
61
|
+
],
|
|
62
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
63
|
+
"alternatives": []
|
|
64
|
+
},
|
|
65
|
+
{
|
|
66
|
+
"id": "reviewed-skill-skill-creator",
|
|
67
|
+
"name": "skill-creator",
|
|
68
|
+
"type": "skill",
|
|
69
|
+
"source_url": "https://github.com/anthropics/skills/blob/main/skills/skill-creator/SKILL.md",
|
|
70
|
+
"intelligence_state": "strict_reviewed",
|
|
71
|
+
"trust_score": 68,
|
|
72
|
+
"decision": "allow_with_restrictions",
|
|
73
|
+
"risk_signals": [
|
|
74
|
+
"license-undisclosed"
|
|
75
|
+
],
|
|
76
|
+
"safe_install_plan": [
|
|
77
|
+
"Confirm usage rights and provenance before redistribution or enterprise deployment.",
|
|
78
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
79
|
+
],
|
|
80
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
81
|
+
"alternatives": []
|
|
82
|
+
},
|
|
83
|
+
{
|
|
84
|
+
"id": "reviewed-skill-imagegen",
|
|
85
|
+
"name": "imagegen",
|
|
86
|
+
"type": "skill",
|
|
87
|
+
"source_url": "https://github.com/openai/skills/blob/main/skills/.system/imagegen/SKILL.md",
|
|
88
|
+
"intelligence_state": "strict_reviewed",
|
|
89
|
+
"trust_score": 68,
|
|
90
|
+
"decision": "allow_with_restrictions",
|
|
91
|
+
"risk_signals": [
|
|
92
|
+
"license-undisclosed"
|
|
93
|
+
],
|
|
94
|
+
"safe_install_plan": [
|
|
95
|
+
"Confirm usage rights and provenance before redistribution or enterprise deployment.",
|
|
96
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
97
|
+
],
|
|
98
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
99
|
+
"alternatives": []
|
|
100
|
+
},
|
|
101
|
+
{
|
|
102
|
+
"id": "reviewed-skill-claude-api",
|
|
103
|
+
"name": "claude-api",
|
|
104
|
+
"type": "skill",
|
|
105
|
+
"source_url": "https://github.com/anthropics/skills/blob/main/skills/claude-api/SKILL.md",
|
|
106
|
+
"intelligence_state": "strict_reviewed",
|
|
107
|
+
"trust_score": 64,
|
|
108
|
+
"decision": "allow_with_restrictions",
|
|
109
|
+
"risk_signals": [
|
|
110
|
+
"license-undisclosed",
|
|
111
|
+
"background-execution"
|
|
112
|
+
],
|
|
113
|
+
"safe_install_plan": [
|
|
114
|
+
"Confirm usage rights and provenance before redistribution or enterprise deployment.",
|
|
115
|
+
"Disable unattended triggers until audit logging and an explicit stop control are configured.",
|
|
116
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
117
|
+
],
|
|
118
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
119
|
+
"alternatives": []
|
|
120
|
+
},
|
|
121
|
+
{
|
|
122
|
+
"id": "reviewed-skill-cli-creator",
|
|
123
|
+
"name": "cli-creator",
|
|
124
|
+
"type": "skill",
|
|
125
|
+
"source_url": "https://github.com/openai/skills/blob/main/skills/.curated/cli-creator/SKILL.md",
|
|
126
|
+
"intelligence_state": "strict_reviewed",
|
|
127
|
+
"trust_score": 64,
|
|
128
|
+
"decision": "allow_with_restrictions",
|
|
129
|
+
"risk_signals": [
|
|
130
|
+
"license-undisclosed",
|
|
131
|
+
"network-access"
|
|
132
|
+
],
|
|
133
|
+
"safe_install_plan": [
|
|
134
|
+
"Confirm usage rights and provenance before redistribution or enterprise deployment.",
|
|
135
|
+
"Allowlist required remote endpoints and deny undeclared destinations.",
|
|
136
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
137
|
+
],
|
|
138
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
139
|
+
"alternatives": []
|
|
140
|
+
},
|
|
141
|
+
{
|
|
142
|
+
"id": "reviewed-skill-cloudflare-deploy",
|
|
143
|
+
"name": "cloudflare-deploy",
|
|
144
|
+
"type": "skill",
|
|
145
|
+
"source_url": "https://github.com/openai/skills/blob/main/skills/.curated/cloudflare-deploy/SKILL.md",
|
|
146
|
+
"intelligence_state": "strict_reviewed",
|
|
147
|
+
"trust_score": 64,
|
|
148
|
+
"decision": "allow_with_restrictions",
|
|
149
|
+
"risk_signals": [
|
|
150
|
+
"license-undisclosed",
|
|
151
|
+
"background-execution"
|
|
152
|
+
],
|
|
153
|
+
"safe_install_plan": [
|
|
154
|
+
"Confirm usage rights and provenance before redistribution or enterprise deployment.",
|
|
155
|
+
"Disable unattended triggers until audit logging and an explicit stop control are configured.",
|
|
156
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
157
|
+
],
|
|
158
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
159
|
+
"alternatives": []
|
|
160
|
+
},
|
|
161
|
+
{
|
|
162
|
+
"id": "reviewed-agent-framework-oh-my-agent",
|
|
163
|
+
"name": "oh-my-agent",
|
|
164
|
+
"type": "agent-framework",
|
|
165
|
+
"source_url": "https://github.com/first-fluke/oh-my-agent",
|
|
166
|
+
"intelligence_state": "strict_reviewed",
|
|
167
|
+
"trust_score": 62,
|
|
168
|
+
"decision": "allow_with_restrictions",
|
|
169
|
+
"risk_signals": [
|
|
170
|
+
"network-access",
|
|
171
|
+
"credential-access"
|
|
172
|
+
],
|
|
173
|
+
"safe_install_plan": [
|
|
174
|
+
"Allowlist required remote endpoints and deny undeclared destinations.",
|
|
175
|
+
"Use a dedicated least-privilege credential with explicit scope and rotation.",
|
|
176
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
177
|
+
],
|
|
178
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
179
|
+
"alternatives": [
|
|
180
|
+
"Chorus",
|
|
181
|
+
"CowAgent"
|
|
182
|
+
]
|
|
183
|
+
},
|
|
184
|
+
{
|
|
185
|
+
"id": "reviewed-skill-netlify-deploy",
|
|
186
|
+
"name": "netlify-deploy",
|
|
187
|
+
"type": "skill",
|
|
188
|
+
"source_url": "https://github.com/openai/skills/blob/main/skills/.curated/netlify-deploy/SKILL.md",
|
|
189
|
+
"intelligence_state": "strict_reviewed",
|
|
190
|
+
"trust_score": 62,
|
|
191
|
+
"decision": "allow_with_restrictions",
|
|
192
|
+
"risk_signals": [
|
|
193
|
+
"license-undisclosed",
|
|
194
|
+
"credential-access"
|
|
195
|
+
],
|
|
196
|
+
"safe_install_plan": [
|
|
197
|
+
"Confirm usage rights and provenance before redistribution or enterprise deployment.",
|
|
198
|
+
"Use a dedicated least-privilege credential with explicit scope and rotation.",
|
|
199
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
200
|
+
],
|
|
201
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
202
|
+
"alternatives": []
|
|
203
|
+
},
|
|
204
|
+
{
|
|
205
|
+
"id": "reviewed-skill-openai-docs",
|
|
206
|
+
"name": "openai-docs",
|
|
207
|
+
"type": "skill",
|
|
208
|
+
"source_url": "https://github.com/openai/skills/blob/main/skills/.curated/openai-docs/SKILL.md",
|
|
209
|
+
"intelligence_state": "strict_reviewed",
|
|
210
|
+
"trust_score": 61,
|
|
211
|
+
"decision": "allow_with_restrictions",
|
|
212
|
+
"risk_signals": [
|
|
213
|
+
"license-undisclosed",
|
|
214
|
+
"shell-execution"
|
|
215
|
+
],
|
|
216
|
+
"safe_install_plan": [
|
|
217
|
+
"Confirm usage rights and provenance before redistribution or enterprise deployment.",
|
|
218
|
+
"Require confirmation for every command and run inside an isolated environment.",
|
|
219
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
220
|
+
],
|
|
221
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
222
|
+
"alternatives": []
|
|
223
|
+
},
|
|
224
|
+
{
|
|
225
|
+
"id": "reviewed-mcp-mcp-suno",
|
|
226
|
+
"name": "mcp-suno",
|
|
227
|
+
"type": "mcp",
|
|
228
|
+
"source_url": "https://github.com/AceDataCloud/SunoMCP",
|
|
229
|
+
"intelligence_state": "strict_reviewed",
|
|
230
|
+
"trust_score": 60,
|
|
231
|
+
"decision": "allow_with_restrictions",
|
|
232
|
+
"risk_signals": [
|
|
233
|
+
"remote-code-install"
|
|
234
|
+
],
|
|
235
|
+
"safe_install_plan": [
|
|
236
|
+
"Pin the exact package version, release or commit and install only inside an isolated environment.",
|
|
237
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
238
|
+
],
|
|
239
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
240
|
+
"alternatives": []
|
|
241
|
+
},
|
|
242
|
+
{
|
|
243
|
+
"id": "reviewed-mcp-midjourney",
|
|
244
|
+
"name": "Midjourney",
|
|
245
|
+
"type": "mcp",
|
|
246
|
+
"source_url": "https://github.com/AceDataCloud/MidjourneyMCP",
|
|
247
|
+
"intelligence_state": "strict_reviewed",
|
|
248
|
+
"trust_score": 60,
|
|
249
|
+
"decision": "allow_with_restrictions",
|
|
250
|
+
"risk_signals": [
|
|
251
|
+
"remote-code-install"
|
|
252
|
+
],
|
|
253
|
+
"safe_install_plan": [
|
|
254
|
+
"Pin the exact package version, release or commit and install only inside an isolated environment.",
|
|
255
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
256
|
+
],
|
|
257
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
258
|
+
"alternatives": []
|
|
259
|
+
},
|
|
260
|
+
{
|
|
261
|
+
"id": "reviewed-mcp-mcp-nanobanana-pro",
|
|
262
|
+
"name": "mcp-nanobanana-pro",
|
|
263
|
+
"type": "mcp",
|
|
264
|
+
"source_url": "https://github.com/AceDataCloud/NanoBananaMCP",
|
|
265
|
+
"intelligence_state": "strict_reviewed",
|
|
266
|
+
"trust_score": 60,
|
|
267
|
+
"decision": "allow_with_restrictions",
|
|
268
|
+
"risk_signals": [
|
|
269
|
+
"remote-code-install"
|
|
270
|
+
],
|
|
271
|
+
"safe_install_plan": [
|
|
272
|
+
"Pin the exact package version, release or commit and install only inside an isolated environment.",
|
|
273
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
274
|
+
],
|
|
275
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
276
|
+
"alternatives": []
|
|
277
|
+
},
|
|
278
|
+
{
|
|
279
|
+
"id": "reviewed-mcp-mcp-seedance",
|
|
280
|
+
"name": "mcp-seedance",
|
|
281
|
+
"type": "mcp",
|
|
282
|
+
"source_url": "https://github.com/AceDataCloud/SeedanceMCP",
|
|
283
|
+
"intelligence_state": "strict_reviewed",
|
|
284
|
+
"trust_score": 60,
|
|
285
|
+
"decision": "allow_with_restrictions",
|
|
286
|
+
"risk_signals": [
|
|
287
|
+
"remote-code-install"
|
|
288
|
+
],
|
|
289
|
+
"safe_install_plan": [
|
|
290
|
+
"Pin the exact package version, release or commit and install only inside an isolated environment.",
|
|
291
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
292
|
+
],
|
|
293
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
294
|
+
"alternatives": []
|
|
295
|
+
},
|
|
296
|
+
{
|
|
297
|
+
"id": "reviewed-mcp-arcadia-finance",
|
|
298
|
+
"name": "Arcadia Finance",
|
|
299
|
+
"type": "mcp",
|
|
300
|
+
"source_url": "https://github.com/arcadia-finance/mcp-server",
|
|
301
|
+
"intelligence_state": "strict_reviewed",
|
|
302
|
+
"trust_score": 56,
|
|
303
|
+
"decision": "ask_user",
|
|
304
|
+
"risk_signals": [
|
|
305
|
+
"credential-access",
|
|
306
|
+
"network-access"
|
|
307
|
+
],
|
|
308
|
+
"safe_install_plan": [
|
|
309
|
+
"Use a dedicated least-privilege credential with explicit scope and rotation.",
|
|
310
|
+
"Allowlist required remote endpoints and deny undeclared destinations.",
|
|
311
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
312
|
+
],
|
|
313
|
+
"agent_action": "Pause automatic installation and ask the user before enabling this component.",
|
|
314
|
+
"alternatives": []
|
|
315
|
+
},
|
|
316
|
+
{
|
|
317
|
+
"id": "reviewed-agent-framework-chorus",
|
|
318
|
+
"name": "Chorus",
|
|
319
|
+
"type": "agent-framework",
|
|
320
|
+
"source_url": "https://github.com/Chorus-AIDLC/Chorus",
|
|
321
|
+
"intelligence_state": "strict_reviewed",
|
|
322
|
+
"trust_score": 53,
|
|
323
|
+
"decision": "ask_user",
|
|
324
|
+
"risk_signals": [
|
|
325
|
+
"license-undisclosed",
|
|
326
|
+
"remote-code-install"
|
|
327
|
+
],
|
|
328
|
+
"safe_install_plan": [
|
|
329
|
+
"Confirm usage rights and provenance before redistribution or enterprise deployment.",
|
|
330
|
+
"Pin the exact package version, release or commit and install only inside an isolated environment.",
|
|
331
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
332
|
+
],
|
|
333
|
+
"agent_action": "Pause automatic installation and ask the user before enabling this component.",
|
|
334
|
+
"alternatives": [
|
|
335
|
+
"LangGraph",
|
|
336
|
+
"AutoGen",
|
|
337
|
+
"CrewAI"
|
|
338
|
+
]
|
|
339
|
+
},
|
|
340
|
+
{
|
|
341
|
+
"id": "reviewed-agent-framework-cua",
|
|
342
|
+
"name": "cua",
|
|
343
|
+
"type": "agent-framework",
|
|
344
|
+
"source_url": "https://github.com/trycua/cua",
|
|
345
|
+
"intelligence_state": "strict_reviewed",
|
|
346
|
+
"trust_score": 52,
|
|
347
|
+
"decision": "ask_user",
|
|
348
|
+
"risk_signals": [
|
|
349
|
+
"credential-access",
|
|
350
|
+
"background-execution",
|
|
351
|
+
"network-access"
|
|
352
|
+
],
|
|
353
|
+
"safe_install_plan": [
|
|
354
|
+
"Use a dedicated least-privilege credential with explicit scope and rotation.",
|
|
355
|
+
"Disable unattended triggers until audit logging and an explicit stop control are configured.",
|
|
356
|
+
"Allowlist required remote endpoints and deny undeclared destinations.",
|
|
357
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
358
|
+
],
|
|
359
|
+
"agent_action": "Pause automatic installation and ask the user before enabling this component.",
|
|
360
|
+
"alternatives": [
|
|
361
|
+
"Chorus",
|
|
362
|
+
"CowAgent"
|
|
363
|
+
]
|
|
364
|
+
},
|
|
365
|
+
{
|
|
366
|
+
"id": "reviewed-skill-playwright-interactive",
|
|
367
|
+
"name": "playwright-interactive",
|
|
368
|
+
"type": "skill",
|
|
369
|
+
"source_url": "https://github.com/openai/skills/blob/main/skills/.curated/playwright-interactive/SKILL.md",
|
|
370
|
+
"intelligence_state": "strict_reviewed",
|
|
371
|
+
"trust_score": 51,
|
|
372
|
+
"decision": "ask_user",
|
|
373
|
+
"risk_signals": [
|
|
374
|
+
"license-undisclosed",
|
|
375
|
+
"browser-access",
|
|
376
|
+
"dynamic-code-execution"
|
|
377
|
+
],
|
|
378
|
+
"safe_install_plan": [
|
|
379
|
+
"Confirm usage rights and provenance before redistribution or enterprise deployment.",
|
|
380
|
+
"Use an isolated browser profile without personal cookies or sessions.",
|
|
381
|
+
"Disable dynamic code paths when possible and isolate execution from host credentials.",
|
|
382
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
383
|
+
],
|
|
384
|
+
"agent_action": "Pause automatic installation and ask the user before enabling this component.",
|
|
385
|
+
"alternatives": []
|
|
386
|
+
},
|
|
387
|
+
{
|
|
388
|
+
"id": "reviewed-skill-render-deploy",
|
|
389
|
+
"name": "render-deploy",
|
|
390
|
+
"type": "skill",
|
|
391
|
+
"source_url": "https://github.com/openai/skills/blob/main/skills/.curated/render-deploy/SKILL.md",
|
|
392
|
+
"intelligence_state": "strict_reviewed",
|
|
393
|
+
"trust_score": 48,
|
|
394
|
+
"decision": "ask_user",
|
|
395
|
+
"risk_signals": [
|
|
396
|
+
"license-undisclosed",
|
|
397
|
+
"background-execution",
|
|
398
|
+
"remote-code-install"
|
|
399
|
+
],
|
|
400
|
+
"safe_install_plan": [
|
|
401
|
+
"Confirm usage rights and provenance before redistribution or enterprise deployment.",
|
|
402
|
+
"Disable unattended triggers until audit logging and an explicit stop control are configured.",
|
|
403
|
+
"Pin the exact package version, release or commit and install only inside an isolated environment.",
|
|
404
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
405
|
+
],
|
|
406
|
+
"agent_action": "Pause automatic installation and ask the user before enabling this component.",
|
|
407
|
+
"alternatives": []
|
|
408
|
+
},
|
|
409
|
+
{
|
|
410
|
+
"id": "reviewed-mcp-synapse-layer-continuous-consciousness-infrastructure",
|
|
411
|
+
"name": "Synapse Layer Continuous Consciousness Infrastructure",
|
|
412
|
+
"type": "mcp",
|
|
413
|
+
"source_url": "https://github.com/SynapseLayer/synapse-layer",
|
|
414
|
+
"intelligence_state": "strict_reviewed",
|
|
415
|
+
"trust_score": 47,
|
|
416
|
+
"decision": "ask_user",
|
|
417
|
+
"risk_signals": [
|
|
418
|
+
"credential-access",
|
|
419
|
+
"network-access",
|
|
420
|
+
"background-execution",
|
|
421
|
+
"mcp-tool-surface",
|
|
422
|
+
"remote-code-install"
|
|
423
|
+
],
|
|
424
|
+
"safe_install_plan": [
|
|
425
|
+
"Use a dedicated least-privilege credential with explicit scope and rotation.",
|
|
426
|
+
"Allowlist required remote endpoints and deny undeclared destinations.",
|
|
427
|
+
"Disable unattended triggers until audit logging and an explicit stop control are configured.",
|
|
428
|
+
"Pin the exact package version, release or commit and install only inside an isolated environment.",
|
|
429
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
430
|
+
],
|
|
431
|
+
"agent_action": "Pause automatic installation and ask the user before enabling this component.",
|
|
432
|
+
"alternatives": []
|
|
433
|
+
},
|
|
434
|
+
{
|
|
435
|
+
"id": "reviewed-mcp-lune-research",
|
|
436
|
+
"name": "Lune Research",
|
|
437
|
+
"type": "mcp",
|
|
438
|
+
"source_url": "https://github.com/RetrogradeLabs/lune-mcp-server",
|
|
439
|
+
"intelligence_state": "strict_reviewed",
|
|
440
|
+
"trust_score": 44,
|
|
441
|
+
"decision": "ask_user",
|
|
442
|
+
"risk_signals": [
|
|
443
|
+
"credential-access",
|
|
444
|
+
"mcp-tool-surface",
|
|
445
|
+
"background-execution"
|
|
446
|
+
],
|
|
447
|
+
"safe_install_plan": [
|
|
448
|
+
"Use a dedicated least-privilege credential with explicit scope and rotation.",
|
|
449
|
+
"Disable unattended triggers until audit logging and an explicit stop control are configured.",
|
|
450
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
451
|
+
],
|
|
452
|
+
"agent_action": "Pause automatic installation and ask the user before enabling this component.",
|
|
453
|
+
"alternatives": []
|
|
454
|
+
},
|
|
455
|
+
{
|
|
456
|
+
"id": "reviewed-mcp-docspace",
|
|
457
|
+
"name": "docspace",
|
|
458
|
+
"type": "mcp",
|
|
459
|
+
"source_url": "https://github.com/ONLYOFFICE/docspace-mcp",
|
|
460
|
+
"intelligence_state": "strict_reviewed",
|
|
461
|
+
"trust_score": 40,
|
|
462
|
+
"decision": "ask_user",
|
|
463
|
+
"risk_signals": [
|
|
464
|
+
"credential-access",
|
|
465
|
+
"network-access",
|
|
466
|
+
"mcp-tool-surface",
|
|
467
|
+
"background-execution"
|
|
468
|
+
],
|
|
469
|
+
"safe_install_plan": [
|
|
470
|
+
"Use a dedicated least-privilege credential with explicit scope and rotation.",
|
|
471
|
+
"Allowlist required remote endpoints and deny undeclared destinations.",
|
|
472
|
+
"Disable unattended triggers until audit logging and an explicit stop control are configured.",
|
|
473
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
474
|
+
],
|
|
475
|
+
"agent_action": "Pause automatic installation and ask the user before enabling this component.",
|
|
476
|
+
"alternatives": []
|
|
477
|
+
},
|
|
478
|
+
{
|
|
479
|
+
"id": "reviewed-agent-framework-agent-s",
|
|
480
|
+
"name": "Agent-S",
|
|
481
|
+
"type": "agent-framework",
|
|
482
|
+
"source_url": "https://github.com/simular-ai/Agent-S",
|
|
483
|
+
"intelligence_state": "strict_reviewed",
|
|
484
|
+
"trust_score": 40,
|
|
485
|
+
"decision": "ask_user",
|
|
486
|
+
"risk_signals": [
|
|
487
|
+
"credential-access",
|
|
488
|
+
"filesystem-write",
|
|
489
|
+
"background-execution",
|
|
490
|
+
"browser-access"
|
|
491
|
+
],
|
|
492
|
+
"safe_install_plan": [
|
|
493
|
+
"Use a dedicated least-privilege credential with explicit scope and rotation.",
|
|
494
|
+
"Restrict write access to a dedicated workspace or temporary copy.",
|
|
495
|
+
"Disable unattended triggers until audit logging and an explicit stop control are configured.",
|
|
496
|
+
"Use an isolated browser profile without personal cookies or sessions.",
|
|
497
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
498
|
+
],
|
|
499
|
+
"agent_action": "Pause automatic installation and ask the user before enabling this component.",
|
|
500
|
+
"alternatives": [
|
|
501
|
+
"Chorus"
|
|
502
|
+
]
|
|
503
|
+
},
|
|
504
|
+
{
|
|
505
|
+
"id": "reviewed-mcp-quantrisk",
|
|
506
|
+
"name": "QuantRisk",
|
|
507
|
+
"type": "mcp",
|
|
508
|
+
"source_url": "https://github.com/78degrees/mcp-server",
|
|
509
|
+
"intelligence_state": "strict_reviewed",
|
|
510
|
+
"trust_score": 34,
|
|
511
|
+
"decision": "avoid",
|
|
512
|
+
"risk_signals": [
|
|
513
|
+
"network-access",
|
|
514
|
+
"dynamic-code-execution",
|
|
515
|
+
"credential-access"
|
|
516
|
+
],
|
|
517
|
+
"safe_install_plan": [
|
|
518
|
+
"Allowlist required remote endpoints and deny undeclared destinations.",
|
|
519
|
+
"Disable dynamic code paths when possible and isolate execution from host credentials.",
|
|
520
|
+
"Use a dedicated least-privilege credential with explicit scope and rotation.",
|
|
521
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
522
|
+
],
|
|
523
|
+
"agent_action": "Do not install automatically; choose an alternative or request explicit human approval.",
|
|
524
|
+
"alternatives": []
|
|
525
|
+
},
|
|
526
|
+
{
|
|
527
|
+
"id": "reviewed-agent-framework-openagentscontrol",
|
|
528
|
+
"name": "OpenAgentsControl",
|
|
529
|
+
"type": "agent-framework",
|
|
530
|
+
"source_url": "https://github.com/darrenhinde/OpenAgentsControl",
|
|
531
|
+
"intelligence_state": "strict_reviewed",
|
|
532
|
+
"trust_score": 34,
|
|
533
|
+
"decision": "avoid",
|
|
534
|
+
"risk_signals": [
|
|
535
|
+
"credential-access",
|
|
536
|
+
"dynamic-code-execution",
|
|
537
|
+
"filesystem-write",
|
|
538
|
+
"network-access"
|
|
539
|
+
],
|
|
540
|
+
"safe_install_plan": [
|
|
541
|
+
"Use a dedicated least-privilege credential with explicit scope and rotation.",
|
|
542
|
+
"Disable dynamic code paths when possible and isolate execution from host credentials.",
|
|
543
|
+
"Restrict write access to a dedicated workspace or temporary copy.",
|
|
544
|
+
"Allowlist required remote endpoints and deny undeclared destinations.",
|
|
545
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
546
|
+
],
|
|
547
|
+
"agent_action": "Do not install automatically; choose an alternative or request explicit human approval.",
|
|
548
|
+
"alternatives": [
|
|
549
|
+
"Chorus",
|
|
550
|
+
"CowAgent"
|
|
551
|
+
]
|
|
552
|
+
},
|
|
553
|
+
{
|
|
554
|
+
"id": "reviewed-mcp-mcp",
|
|
555
|
+
"name": "mcp",
|
|
556
|
+
"type": "mcp",
|
|
557
|
+
"source_url": "https://github.com/apideck-libraries/mcp",
|
|
558
|
+
"intelligence_state": "strict_reviewed",
|
|
559
|
+
"trust_score": 18,
|
|
560
|
+
"decision": "avoid",
|
|
561
|
+
"risk_signals": [
|
|
562
|
+
"credential-access",
|
|
563
|
+
"network-access",
|
|
564
|
+
"shell-execution",
|
|
565
|
+
"mcp-tool-surface",
|
|
566
|
+
"dynamic-code-execution"
|
|
567
|
+
],
|
|
568
|
+
"safe_install_plan": [
|
|
569
|
+
"Use a dedicated least-privilege credential with explicit scope and rotation.",
|
|
570
|
+
"Allowlist required remote endpoints and deny undeclared destinations.",
|
|
571
|
+
"Require confirmation for every command and run inside an isolated environment.",
|
|
572
|
+
"Disable dynamic code paths when possible and isolate execution from host credentials.",
|
|
573
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
574
|
+
],
|
|
575
|
+
"agent_action": "Do not install automatically; choose an alternative or request explicit human approval.",
|
|
576
|
+
"alternatives": []
|
|
577
|
+
},
|
|
578
|
+
{
|
|
579
|
+
"id": "reviewed-mcp-cathedral-persistent-memory-for-ai-agents",
|
|
580
|
+
"name": "Cathedral Persistent Memory for AI Agents",
|
|
581
|
+
"type": "mcp",
|
|
582
|
+
"source_url": "https://github.com/AILIFE1/Cathedral",
|
|
583
|
+
"intelligence_state": "strict_reviewed",
|
|
584
|
+
"trust_score": 16,
|
|
585
|
+
"decision": "avoid",
|
|
586
|
+
"risk_signals": [
|
|
587
|
+
"remote-code-install",
|
|
588
|
+
"credential-access",
|
|
589
|
+
"prompt-injection-pattern",
|
|
590
|
+
"network-access"
|
|
591
|
+
],
|
|
592
|
+
"safe_install_plan": [
|
|
593
|
+
"Pin the exact package version, release or commit and install only inside an isolated environment.",
|
|
594
|
+
"Use a dedicated least-privilege credential with explicit scope and rotation.",
|
|
595
|
+
"Review instruction precedence and require confirmation before tool actions caused by external content.",
|
|
596
|
+
"Allowlist required remote endpoints and deny undeclared destinations.",
|
|
597
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
598
|
+
],
|
|
599
|
+
"agent_action": "Do not install automatically; choose an alternative or request explicit human approval.",
|
|
600
|
+
"alternatives": []
|
|
601
|
+
},
|
|
602
|
+
{
|
|
603
|
+
"id": "reviewed-agent-framework-lamda",
|
|
604
|
+
"name": "lamda",
|
|
605
|
+
"type": "agent-framework",
|
|
606
|
+
"source_url": "https://github.com/firerpa/lamda",
|
|
607
|
+
"intelligence_state": "strict_reviewed",
|
|
608
|
+
"trust_score": 14,
|
|
609
|
+
"decision": "avoid",
|
|
610
|
+
"risk_signals": [
|
|
611
|
+
"credential-access",
|
|
612
|
+
"filesystem-write",
|
|
613
|
+
"dynamic-code-execution",
|
|
614
|
+
"shell-execution",
|
|
615
|
+
"background-execution",
|
|
616
|
+
"network-access"
|
|
617
|
+
],
|
|
618
|
+
"safe_install_plan": [
|
|
619
|
+
"Use a dedicated least-privilege credential with explicit scope and rotation.",
|
|
620
|
+
"Restrict write access to a dedicated workspace or temporary copy.",
|
|
621
|
+
"Disable dynamic code paths when possible and isolate execution from host credentials.",
|
|
622
|
+
"Require confirmation for every command and run inside an isolated environment.",
|
|
623
|
+
"Disable unattended triggers until audit logging and an explicit stop control are configured.",
|
|
624
|
+
"Allowlist required remote endpoints and deny undeclared destinations.",
|
|
625
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
626
|
+
],
|
|
627
|
+
"agent_action": "Do not install automatically; choose an alternative or request explicit human approval.",
|
|
628
|
+
"alternatives": [
|
|
629
|
+
"Chorus",
|
|
630
|
+
"CowAgent"
|
|
631
|
+
]
|
|
632
|
+
},
|
|
633
|
+
{
|
|
634
|
+
"id": "reviewed-agent-framework-cowagent",
|
|
635
|
+
"name": "CowAgent",
|
|
636
|
+
"type": "agent-framework",
|
|
637
|
+
"source_url": "https://github.com/zhayujie/CowAgent",
|
|
638
|
+
"intelligence_state": "strict_reviewed",
|
|
639
|
+
"trust_score": 6,
|
|
640
|
+
"decision": "avoid",
|
|
641
|
+
"risk_signals": [
|
|
642
|
+
"credential-access",
|
|
643
|
+
"browser-access",
|
|
644
|
+
"shell-execution",
|
|
645
|
+
"background-execution",
|
|
646
|
+
"filesystem-write",
|
|
647
|
+
"network-access",
|
|
648
|
+
"mcp-tool-surface"
|
|
649
|
+
],
|
|
650
|
+
"safe_install_plan": [
|
|
651
|
+
"Use a dedicated least-privilege credential with explicit scope and rotation.",
|
|
652
|
+
"Use an isolated browser profile without personal cookies or sessions.",
|
|
653
|
+
"Require confirmation for every command and run inside an isolated environment.",
|
|
654
|
+
"Disable unattended triggers until audit logging and an explicit stop control are configured.",
|
|
655
|
+
"Restrict write access to a dedicated workspace or temporary copy.",
|
|
656
|
+
"Allowlist required remote endpoints and deny undeclared destinations.",
|
|
657
|
+
"Grant only the permissions required for the current task and remove unused capabilities."
|
|
658
|
+
],
|
|
659
|
+
"agent_action": "Do not install automatically; choose an alternative or request explicit human approval.",
|
|
660
|
+
"alternatives": [
|
|
661
|
+
"Chorus"
|
|
662
|
+
]
|
|
663
|
+
},
|
|
664
|
+
{
|
|
665
|
+
"id": "mcp-filesystem",
|
|
666
|
+
"name": "filesystem",
|
|
667
|
+
"type": "mcp",
|
|
668
|
+
"source_url": null,
|
|
669
|
+
"intelligence_state": "curated_baseline",
|
|
670
|
+
"trust_score": 74,
|
|
671
|
+
"decision": "allow_with_restrictions",
|
|
672
|
+
"risk_signals": [
|
|
673
|
+
"filesystem-read",
|
|
674
|
+
"filesystem-write",
|
|
675
|
+
"subprocess-spawn"
|
|
676
|
+
],
|
|
677
|
+
"safe_install_plan": [
|
|
678
|
+
"Restrict filesystem scope to the current project directory.",
|
|
679
|
+
"Prefer read-only mode when the task only needs inspection.",
|
|
680
|
+
"Pin the package or executable version before enabling it."
|
|
681
|
+
],
|
|
682
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
683
|
+
"alternatives": [
|
|
684
|
+
"read-only filesystem tooling",
|
|
685
|
+
"temporary workspace copy"
|
|
686
|
+
]
|
|
687
|
+
},
|
|
688
|
+
{
|
|
689
|
+
"id": "agent-framework-langgraph",
|
|
690
|
+
"name": "LangGraph",
|
|
691
|
+
"type": "agent-framework",
|
|
692
|
+
"source_url": null,
|
|
693
|
+
"intelligence_state": "curated_baseline",
|
|
694
|
+
"trust_score": 73,
|
|
695
|
+
"decision": "allow_with_restrictions",
|
|
696
|
+
"risk_signals": [
|
|
697
|
+
"agent-orchestration",
|
|
698
|
+
"tool-chaining",
|
|
699
|
+
"network-access"
|
|
700
|
+
],
|
|
701
|
+
"safe_install_plan": [
|
|
702
|
+
"Review graph nodes that can call tools or external APIs.",
|
|
703
|
+
"Apply allowlists to write-capable tools.",
|
|
704
|
+
"Log state transitions for autonomous workflows."
|
|
705
|
+
],
|
|
706
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
707
|
+
"alternatives": [
|
|
708
|
+
"read-only graph execution",
|
|
709
|
+
"manual approval node"
|
|
710
|
+
]
|
|
711
|
+
},
|
|
712
|
+
{
|
|
713
|
+
"id": "agent-framework-autogen",
|
|
714
|
+
"name": "AutoGen",
|
|
715
|
+
"type": "agent-framework",
|
|
716
|
+
"source_url": null,
|
|
717
|
+
"intelligence_state": "curated_baseline",
|
|
718
|
+
"trust_score": 72,
|
|
719
|
+
"decision": "allow_with_restrictions",
|
|
720
|
+
"risk_signals": [
|
|
721
|
+
"network-access",
|
|
722
|
+
"code-execution",
|
|
723
|
+
"multi-agent-delegation"
|
|
724
|
+
],
|
|
725
|
+
"safe_install_plan": [
|
|
726
|
+
"Restrict code execution tools until the task requires them.",
|
|
727
|
+
"Use scoped API keys and avoid sharing personal credentials across agents.",
|
|
728
|
+
"Log delegated tool calls for later review."
|
|
729
|
+
],
|
|
730
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
731
|
+
"alternatives": [
|
|
732
|
+
"single-agent review mode",
|
|
733
|
+
"tool allowlist policy"
|
|
734
|
+
]
|
|
735
|
+
},
|
|
736
|
+
{
|
|
737
|
+
"id": "agent-framework-crewai",
|
|
738
|
+
"name": "CrewAI",
|
|
739
|
+
"type": "agent-framework",
|
|
740
|
+
"source_url": null,
|
|
741
|
+
"intelligence_state": "curated_baseline",
|
|
742
|
+
"trust_score": 70,
|
|
743
|
+
"decision": "allow_with_restrictions",
|
|
744
|
+
"risk_signals": [
|
|
745
|
+
"network-access",
|
|
746
|
+
"multi-agent-delegation",
|
|
747
|
+
"tool-chaining"
|
|
748
|
+
],
|
|
749
|
+
"safe_install_plan": [
|
|
750
|
+
"Review tool assignments before running autonomous crews.",
|
|
751
|
+
"Use least-privilege API credentials per task.",
|
|
752
|
+
"Disable write-capable tools unless needed."
|
|
753
|
+
],
|
|
754
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
755
|
+
"alternatives": [
|
|
756
|
+
"read-only tool crew",
|
|
757
|
+
"manual approval for write actions"
|
|
758
|
+
]
|
|
759
|
+
},
|
|
760
|
+
{
|
|
761
|
+
"id": "mcp-brave-search",
|
|
762
|
+
"name": "brave-search",
|
|
763
|
+
"type": "mcp",
|
|
764
|
+
"source_url": null,
|
|
765
|
+
"intelligence_state": "curated_baseline",
|
|
766
|
+
"trust_score": 69,
|
|
767
|
+
"decision": "allow_with_restrictions",
|
|
768
|
+
"risk_signals": [
|
|
769
|
+
"network-access",
|
|
770
|
+
"external-api",
|
|
771
|
+
"credential-access"
|
|
772
|
+
],
|
|
773
|
+
"safe_install_plan": [
|
|
774
|
+
"Use a scoped search API key.",
|
|
775
|
+
"Do not send private workspace content as search queries by default.",
|
|
776
|
+
"Log outbound query categories for later review."
|
|
777
|
+
],
|
|
778
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
779
|
+
"alternatives": [
|
|
780
|
+
"manual search handoff",
|
|
781
|
+
"restricted web search tool"
|
|
782
|
+
]
|
|
783
|
+
},
|
|
784
|
+
{
|
|
785
|
+
"id": "agent-platform-dify",
|
|
786
|
+
"name": "Dify",
|
|
787
|
+
"type": "agent-framework",
|
|
788
|
+
"source_url": null,
|
|
789
|
+
"intelligence_state": "curated_baseline",
|
|
790
|
+
"trust_score": 67,
|
|
791
|
+
"decision": "allow_with_restrictions",
|
|
792
|
+
"risk_signals": [
|
|
793
|
+
"workflow-automation",
|
|
794
|
+
"network-access",
|
|
795
|
+
"plugin-access",
|
|
796
|
+
"credential-access"
|
|
797
|
+
],
|
|
798
|
+
"safe_install_plan": [
|
|
799
|
+
"Review connected tools, plugins and workflow triggers before autonomous execution.",
|
|
800
|
+
"Use scoped credentials for each integration.",
|
|
801
|
+
"Separate test workflows from production workflows."
|
|
802
|
+
],
|
|
803
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
804
|
+
"alternatives": [
|
|
805
|
+
"restricted workflow workspace",
|
|
806
|
+
"manual approval for production actions"
|
|
807
|
+
]
|
|
808
|
+
},
|
|
809
|
+
{
|
|
810
|
+
"id": "memory-vector-store",
|
|
811
|
+
"name": "vector-memory-store",
|
|
812
|
+
"type": "memory",
|
|
813
|
+
"source_url": null,
|
|
814
|
+
"intelligence_state": "curated_baseline",
|
|
815
|
+
"trust_score": 66,
|
|
816
|
+
"decision": "allow_with_restrictions",
|
|
817
|
+
"risk_signals": [
|
|
818
|
+
"data-retention",
|
|
819
|
+
"network-access",
|
|
820
|
+
"credential-access"
|
|
821
|
+
],
|
|
822
|
+
"safe_install_plan": [
|
|
823
|
+
"Do not store secrets or personal data in long-term memory.",
|
|
824
|
+
"Separate project memory from personal memory.",
|
|
825
|
+
"Review retention and deletion controls before enabling."
|
|
826
|
+
],
|
|
827
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
828
|
+
"alternatives": [
|
|
829
|
+
"ephemeral task memory",
|
|
830
|
+
"local encrypted memory store"
|
|
831
|
+
]
|
|
832
|
+
},
|
|
833
|
+
{
|
|
834
|
+
"id": "mcp-sqlite",
|
|
835
|
+
"name": "sqlite",
|
|
836
|
+
"type": "mcp",
|
|
837
|
+
"source_url": null,
|
|
838
|
+
"intelligence_state": "curated_baseline",
|
|
839
|
+
"trust_score": 66,
|
|
840
|
+
"decision": "allow_with_restrictions",
|
|
841
|
+
"risk_signals": [
|
|
842
|
+
"filesystem-write",
|
|
843
|
+
"database-access",
|
|
844
|
+
"local-file-access"
|
|
845
|
+
],
|
|
846
|
+
"safe_install_plan": [
|
|
847
|
+
"Use a copied database file for autonomous analysis.",
|
|
848
|
+
"Avoid write mode unless the task requires mutation.",
|
|
849
|
+
"Back up the database before enabling agent access."
|
|
850
|
+
],
|
|
851
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
852
|
+
"alternatives": [
|
|
853
|
+
"read-only copied database",
|
|
854
|
+
"manual SQL export"
|
|
855
|
+
]
|
|
856
|
+
},
|
|
857
|
+
{
|
|
858
|
+
"id": "workflow-activepieces",
|
|
859
|
+
"name": "Activepieces",
|
|
860
|
+
"type": "workflow",
|
|
861
|
+
"source_url": null,
|
|
862
|
+
"intelligence_state": "curated_baseline",
|
|
863
|
+
"trust_score": 64,
|
|
864
|
+
"decision": "allow_with_restrictions",
|
|
865
|
+
"risk_signals": [
|
|
866
|
+
"workflow-automation",
|
|
867
|
+
"third-party-integration",
|
|
868
|
+
"credential-access",
|
|
869
|
+
"background-execution"
|
|
870
|
+
],
|
|
871
|
+
"safe_install_plan": [
|
|
872
|
+
"Review all connected apps and triggers.",
|
|
873
|
+
"Disable production write actions until reviewed.",
|
|
874
|
+
"Use test accounts or scoped app credentials for agents."
|
|
875
|
+
],
|
|
876
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
877
|
+
"alternatives": [
|
|
878
|
+
"manual workflow approval",
|
|
879
|
+
"restricted integration workspace"
|
|
880
|
+
]
|
|
881
|
+
},
|
|
882
|
+
{
|
|
883
|
+
"id": "agent-framework-openhands",
|
|
884
|
+
"name": "OpenHands",
|
|
885
|
+
"type": "agent-framework",
|
|
886
|
+
"source_url": null,
|
|
887
|
+
"intelligence_state": "curated_baseline",
|
|
888
|
+
"trust_score": 63,
|
|
889
|
+
"decision": "allow_with_restrictions",
|
|
890
|
+
"risk_signals": [
|
|
891
|
+
"shell-execution",
|
|
892
|
+
"filesystem-write",
|
|
893
|
+
"network-access",
|
|
894
|
+
"credential-access"
|
|
895
|
+
],
|
|
896
|
+
"safe_install_plan": [
|
|
897
|
+
"Run inside a dedicated workspace or container.",
|
|
898
|
+
"Do not mount personal home directories by default.",
|
|
899
|
+
"Use scoped credentials and review tool permissions before autonomous execution."
|
|
900
|
+
],
|
|
901
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
902
|
+
"alternatives": [
|
|
903
|
+
"containerized agent workspace",
|
|
904
|
+
"manual approval mode"
|
|
905
|
+
]
|
|
906
|
+
},
|
|
907
|
+
{
|
|
908
|
+
"id": "tool-composio",
|
|
909
|
+
"name": "Composio",
|
|
910
|
+
"type": "tool",
|
|
911
|
+
"source_url": null,
|
|
912
|
+
"intelligence_state": "curated_baseline",
|
|
913
|
+
"trust_score": 62,
|
|
914
|
+
"decision": "allow_with_restrictions",
|
|
915
|
+
"risk_signals": [
|
|
916
|
+
"third-party-tool-access",
|
|
917
|
+
"network-access",
|
|
918
|
+
"credential-access",
|
|
919
|
+
"multi-app-delegation"
|
|
920
|
+
],
|
|
921
|
+
"safe_install_plan": [
|
|
922
|
+
"Enable only the app integrations required for the current task.",
|
|
923
|
+
"Use scoped OAuth grants or test accounts.",
|
|
924
|
+
"Require user confirmation before write actions across third-party apps."
|
|
925
|
+
],
|
|
926
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
927
|
+
"alternatives": [
|
|
928
|
+
"single-app scoped MCP",
|
|
929
|
+
"manual OAuth approval workflow"
|
|
930
|
+
]
|
|
931
|
+
},
|
|
932
|
+
{
|
|
933
|
+
"id": "tool-docker-runtime",
|
|
934
|
+
"name": "docker-runtime",
|
|
935
|
+
"type": "tool",
|
|
936
|
+
"source_url": null,
|
|
937
|
+
"intelligence_state": "curated_baseline",
|
|
938
|
+
"trust_score": 60,
|
|
939
|
+
"decision": "allow_with_restrictions",
|
|
940
|
+
"risk_signals": [
|
|
941
|
+
"docker-runtime",
|
|
942
|
+
"filesystem-write",
|
|
943
|
+
"network-access"
|
|
944
|
+
],
|
|
945
|
+
"safe_install_plan": [
|
|
946
|
+
"Avoid privileged containers.",
|
|
947
|
+
"Mount only task-specific directories.",
|
|
948
|
+
"Pin image digests or trusted tags before execution."
|
|
949
|
+
],
|
|
950
|
+
"agent_action": "Install only after applying every safe-install control.",
|
|
951
|
+
"alternatives": [
|
|
952
|
+
"rootless container runtime",
|
|
953
|
+
"temporary container workspace"
|
|
954
|
+
]
|
|
955
|
+
},
|
|
956
|
+
{
|
|
957
|
+
"id": "mcp-github",
|
|
958
|
+
"name": "github",
|
|
959
|
+
"type": "mcp",
|
|
960
|
+
"source_url": null,
|
|
961
|
+
"intelligence_state": "curated_baseline",
|
|
962
|
+
"trust_score": 68,
|
|
963
|
+
"decision": "ask_user",
|
|
964
|
+
"risk_signals": [
|
|
965
|
+
"network-access",
|
|
966
|
+
"credential-access",
|
|
967
|
+
"repository-write"
|
|
968
|
+
],
|
|
969
|
+
"safe_install_plan": [
|
|
970
|
+
"Use a scoped token with the minimum repository permissions.",
|
|
971
|
+
"Prefer read-only repository permissions unless write access is required.",
|
|
972
|
+
"Do not pass personal high-privilege tokens to autonomous agents."
|
|
973
|
+
],
|
|
974
|
+
"agent_action": "Pause automatic installation and ask the user before enabling this component.",
|
|
975
|
+
"alternatives": [
|
|
976
|
+
"scoped read-only GitHub token",
|
|
977
|
+
"repository-specific bot account"
|
|
978
|
+
]
|
|
979
|
+
},
|
|
980
|
+
{
|
|
981
|
+
"id": "browser-control-skill",
|
|
982
|
+
"name": "browser-control",
|
|
983
|
+
"type": "skill",
|
|
984
|
+
"source_url": null,
|
|
985
|
+
"intelligence_state": "curated_baseline",
|
|
986
|
+
"trust_score": 61,
|
|
987
|
+
"decision": "ask_user",
|
|
988
|
+
"risk_signals": [
|
|
989
|
+
"browser-access",
|
|
990
|
+
"network-access",
|
|
991
|
+
"credential-exposure"
|
|
992
|
+
],
|
|
993
|
+
"safe_install_plan": [
|
|
994
|
+
"Use a dedicated browser profile for autonomous agents.",
|
|
995
|
+
"Do not expose personal cookies or logged-in sessions by default.",
|
|
996
|
+
"Require user confirmation before submitting forms or transferring data."
|
|
997
|
+
],
|
|
998
|
+
"agent_action": "Pause automatic installation and ask the user before enabling this component.",
|
|
999
|
+
"alternatives": [
|
|
1000
|
+
"sandbox browser profile",
|
|
1001
|
+
"read-only page inspection tool"
|
|
1002
|
+
]
|
|
1003
|
+
},
|
|
1004
|
+
{
|
|
1005
|
+
"id": "mcp-slack",
|
|
1006
|
+
"name": "slack",
|
|
1007
|
+
"type": "mcp",
|
|
1008
|
+
"source_url": null,
|
|
1009
|
+
"intelligence_state": "curated_baseline",
|
|
1010
|
+
"trust_score": 59,
|
|
1011
|
+
"decision": "ask_user",
|
|
1012
|
+
"risk_signals": [
|
|
1013
|
+
"network-access",
|
|
1014
|
+
"credential-access",
|
|
1015
|
+
"message-read",
|
|
1016
|
+
"message-write"
|
|
1017
|
+
],
|
|
1018
|
+
"safe_install_plan": [
|
|
1019
|
+
"Use a workspace-scoped bot token with minimum channels.",
|
|
1020
|
+
"Disable write actions until the user explicitly approves them.",
|
|
1021
|
+
"Do not expose private channels by default."
|
|
1022
|
+
],
|
|
1023
|
+
"agent_action": "Pause automatic installation and ask the user before enabling this component.",
|
|
1024
|
+
"alternatives": [
|
|
1025
|
+
"read-only Slack bot token",
|
|
1026
|
+
"manual message approval"
|
|
1027
|
+
]
|
|
1028
|
+
},
|
|
1029
|
+
{
|
|
1030
|
+
"id": "workflow-github-actions-agent",
|
|
1031
|
+
"name": "github-actions-agent-workflow",
|
|
1032
|
+
"type": "workflow",
|
|
1033
|
+
"source_url": null,
|
|
1034
|
+
"intelligence_state": "curated_baseline",
|
|
1035
|
+
"trust_score": 58,
|
|
1036
|
+
"decision": "ask_user",
|
|
1037
|
+
"risk_signals": [
|
|
1038
|
+
"background-execution",
|
|
1039
|
+
"credential-access",
|
|
1040
|
+
"repository-write",
|
|
1041
|
+
"network-access"
|
|
1042
|
+
],
|
|
1043
|
+
"safe_install_plan": [
|
|
1044
|
+
"Review scheduled and workflow_dispatch triggers.",
|
|
1045
|
+
"Use repository-scoped tokens with minimum permissions.",
|
|
1046
|
+
"Require manual approval before publishing releases or writing secrets."
|
|
1047
|
+
],
|
|
1048
|
+
"agent_action": "Pause automatic installation and ask the user before enabling this component.",
|
|
1049
|
+
"alternatives": [
|
|
1050
|
+
"read-only CI workflow",
|
|
1051
|
+
"manual dispatch with restricted token"
|
|
1052
|
+
]
|
|
1053
|
+
},
|
|
1054
|
+
{
|
|
1055
|
+
"id": "mcp-postgres",
|
|
1056
|
+
"name": "postgres",
|
|
1057
|
+
"type": "mcp",
|
|
1058
|
+
"source_url": null,
|
|
1059
|
+
"intelligence_state": "curated_baseline",
|
|
1060
|
+
"trust_score": 57,
|
|
1061
|
+
"decision": "ask_user",
|
|
1062
|
+
"risk_signals": [
|
|
1063
|
+
"database-access",
|
|
1064
|
+
"credential-access",
|
|
1065
|
+
"data-exposure-risk"
|
|
1066
|
+
],
|
|
1067
|
+
"safe_install_plan": [
|
|
1068
|
+
"Use a read-only database role unless write access is explicitly required.",
|
|
1069
|
+
"Connect only to a task-specific database or replica.",
|
|
1070
|
+
"Do not expose production credentials to autonomous agents."
|
|
1071
|
+
],
|
|
1072
|
+
"agent_action": "Pause automatic installation and ask the user before enabling this component.",
|
|
1073
|
+
"alternatives": [
|
|
1074
|
+
"read-only database replica",
|
|
1075
|
+
"query review workflow"
|
|
1076
|
+
]
|
|
1077
|
+
},
|
|
1078
|
+
{
|
|
1079
|
+
"id": "agent-framework-openmanus",
|
|
1080
|
+
"name": "OpenManus",
|
|
1081
|
+
"type": "agent-framework",
|
|
1082
|
+
"source_url": null,
|
|
1083
|
+
"intelligence_state": "curated_baseline",
|
|
1084
|
+
"trust_score": 56,
|
|
1085
|
+
"decision": "ask_user",
|
|
1086
|
+
"risk_signals": [
|
|
1087
|
+
"shell-execution",
|
|
1088
|
+
"network-access",
|
|
1089
|
+
"browser-access",
|
|
1090
|
+
"unknown-source"
|
|
1091
|
+
],
|
|
1092
|
+
"safe_install_plan": [
|
|
1093
|
+
"Require user confirmation before enabling autonomous tool execution.",
|
|
1094
|
+
"Use a separate browser profile and isolated workspace.",
|
|
1095
|
+
"Record exact source URL and version before installation."
|
|
1096
|
+
],
|
|
1097
|
+
"agent_action": "Pause automatic installation and ask the user before enabling this component.",
|
|
1098
|
+
"alternatives": [
|
|
1099
|
+
"restricted autonomous-agent profile",
|
|
1100
|
+
"manual tool approval workflow"
|
|
1101
|
+
]
|
|
1102
|
+
},
|
|
1103
|
+
{
|
|
1104
|
+
"id": "workflow-n8n-templates",
|
|
1105
|
+
"name": "n8n-workflow-templates",
|
|
1106
|
+
"type": "workflow",
|
|
1107
|
+
"source_url": null,
|
|
1108
|
+
"intelligence_state": "curated_baseline",
|
|
1109
|
+
"trust_score": 55,
|
|
1110
|
+
"decision": "ask_user",
|
|
1111
|
+
"risk_signals": [
|
|
1112
|
+
"workflow-import",
|
|
1113
|
+
"credential-access",
|
|
1114
|
+
"background-execution",
|
|
1115
|
+
"third-party-integration"
|
|
1116
|
+
],
|
|
1117
|
+
"safe_install_plan": [
|
|
1118
|
+
"Inspect imported workflow nodes before enabling.",
|
|
1119
|
+
"Remove embedded credentials or webhook secrets.",
|
|
1120
|
+
"Run imported workflows in a test workspace first."
|
|
1121
|
+
],
|
|
1122
|
+
"agent_action": "Pause automatic installation and ask the user before enabling this component.",
|
|
1123
|
+
"alternatives": [
|
|
1124
|
+
"manual workflow rebuild",
|
|
1125
|
+
"restricted workflow import"
|
|
1126
|
+
]
|
|
1127
|
+
},
|
|
1128
|
+
{
|
|
1129
|
+
"id": "mcp-puppeteer-browser",
|
|
1130
|
+
"name": "puppeteer-browser",
|
|
1131
|
+
"type": "mcp",
|
|
1132
|
+
"source_url": null,
|
|
1133
|
+
"intelligence_state": "curated_baseline",
|
|
1134
|
+
"trust_score": 54,
|
|
1135
|
+
"decision": "ask_user",
|
|
1136
|
+
"risk_signals": [
|
|
1137
|
+
"browser-access",
|
|
1138
|
+
"network-access",
|
|
1139
|
+
"credential-access",
|
|
1140
|
+
"form-submission"
|
|
1141
|
+
],
|
|
1142
|
+
"safe_install_plan": [
|
|
1143
|
+
"Use a dedicated browser profile without personal cookies.",
|
|
1144
|
+
"Require confirmation before form submission, checkout, transfer or login actions.",
|
|
1145
|
+
"Block access to password managers and personal sessions."
|
|
1146
|
+
],
|
|
1147
|
+
"agent_action": "Pause automatic installation and ask the user before enabling this component.",
|
|
1148
|
+
"alternatives": [
|
|
1149
|
+
"read-only page inspection",
|
|
1150
|
+
"sandbox browser profile"
|
|
1151
|
+
]
|
|
1152
|
+
}
|
|
1153
|
+
]
|
|
1154
|
+
}
|