agent-security-lens 0.1.3 → 0.1.5

package/.dockerignore

@@ -0,0 +1,11 @@
+.git
+.agentsecuritylens
+.agentsecuritylens-test
+.asl-data-production-batch-20260615
+.npm-cache
+.release-worktree
+assessment-runs
+node_modules
+*.tgz
+*.log
+dist

package/.mcp/server.json

@@ -8,12 +8,12 @@
     "url": "https://github.com/professor2k8/agent-security-lens",
     "source": "github"
   },
-  "version": "0.1.3",
+  "version": "0.1.5",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "agent-security-lens",
-      "version": "0.1.3",
+      "version": "0.1.5",
       "transport": {
         "type": "stdio"
       },

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## 0.1.5
+
+- Add `asl-review` and `agent-security-lens-review` quick decision commands for pre-install checks without configuring an MCP client first.
+- Add first-screen quick review instructions for agents and developers.
+- Record quick-review usage events so npm installs can convert into measurable ASL decision calls.
+
+## 0.1.4
+
+- Add copy-ready MCP install snippets for Claude Desktop, Cursor, VS Code, Codex-style clients and generic MCP clients.
+- Add OpenHands, OpenManus and OpenClaw pre-install safety snippets.
+- Add reusable Agent pre-install policy for `AGENTS.md`, `CLAUDE.md`, Cursor rules and workspace instructions.
+- Link Agent exposure assets from README and `llms.txt`.
+- Add private exposure targets and daily exposure brief generation for operations.
+
 ## 0.1.3
 
 - Improve agent-first installation copy in the README.

package/Dockerfile

@@ -0,0 +1,11 @@
+FROM node:22-alpine
+
+WORKDIR /app
+
+ENV NODE_ENV=production \
+    ASL_MODE=local \
+    ASL_DISABLE_CLOUD=1
+
+COPY . .
+
+CMD ["node", "./apps/mcp-server/agent-security-lens-mcp.mjs"]

package/README.md

@@ -8,6 +8,19 @@ ASL is not a malware verdict tool. It returns observable risk signals, required
 
 ## Agent Quick Install
 
+Try one pre-install decision first:
+
+```bash
+npx -y --package agent-security-lens asl-review filesystem \
+  --type mcp \
+  --source-url https://github.com/modelcontextprotocol/servers \
+  --install-command "npx -y @modelcontextprotocol/server-filesystem ." \
+  --permission filesystem-read \
+  --permission filesystem-write
+```
+
+The command returns an agent-readable decision, trust score, risk signals, safe install plan, and whether automatic installation is allowed.
+
 Add ASL as a pre-install trust check MCP:
 
 ```json
@@ -32,6 +45,11 @@ Never submit private source code, secrets, tokens, cookies or file contents.
 
 See [Agent install guide](docs/agent-install.md) for Claude Desktop, Cursor, Codex-style and generic MCP configurations.
 
+Copy-ready files:
+
+- [Install snippets](docs/install-snippets/README.md)
+- [Agent pre-install policy](docs/policies/agent-preinstall-policy.md)
+
 ## Public Intelligence
 
 The public package includes a reviewed baseline so agents can still make conservative decisions when the cloud API is unavailable.

package/RELEASE-MANIFEST.json

@@ -1,10 +1,15 @@
 {
   "schema_version": "0.1.0",
   "package": "agent-security-lens",
-  "version": "0.1.3",
-  "generated_at": "2026-06-22T08:01:37.097Z",
+  "version": "0.1.5",
+  "generated_at": "2026-06-24T12:03:47.242Z",
   "source": "ASL verified public release exporter",
   "files": [
+    {
+      "path": ".dockerignore",
+      "bytes": 159,
+      "sha256": "78fb3128cefbfdc369a213140894c3ffb189cefe519569a0a6f06add6f4e160d"
+    },
     {
       "path": ".env.example",
       "bytes": 322,
@@ -43,7 +48,7 @@
     {
       "path": ".mcp/server.json",
       "bytes": 1316,
-      "sha256": "cff25d18a7c6d1259d400599537de259731224109f4cf16129cd4984027b16ab"
+      "sha256": "01b08b038eb21dd2295495b5b6510fa152a7ad5e0cec8ad58a0930b2236bc2a4"
     },
     {
       "path": ".npmignore",
@@ -52,8 +57,8 @@
     },
     {
       "path": "CHANGELOG.md",
-      "bytes": 1600,
-      "sha256": "990eb963697607ee08be8f8a24ba24f78c0e4ce38c510509b20f3920cdc7fa91"
+      "bytes": 2373,
+      "sha256": "94e67cb8c723468ff5fab1a1376d5ba3323fb21343823a06d2dcde0c81c33f10"
     },
     {
       "path": "CODE_OF_CONDUCT.md",
@@ -65,6 +70,11 @@
       "bytes": 620,
       "sha256": "b74ec3539a56b9af93cb25e59cdcb75ef1c9125611552d4bd6f7764d283e8736"
     },
+    {
+      "path": "Dockerfile",
+      "bytes": 179,
+      "sha256": "b00c41e62cdc82eb1a40d9a9fd25024a482f6b6a36c54e05c33ce41353b08e9a"
+    },
     {
       "path": "LICENSE",
       "bytes": 645,
@@ -77,8 +87,8 @@
     },
     {
       "path": "README.md",
-      "bytes": 6481,
-      "sha256": "0e48df39c037cc156db7b958aa7d8dab70f6c212a984a93c1f3f2f7a27944ab6"
+      "bytes": 7097,
+      "sha256": "521c54734fafe40d25719373fc04dbbe052f2185f381cd85015999940745c3e2"
     },
     {
       "path": "SECURITY.md",
@@ -90,6 +100,11 @@
       "bytes": 15239,
       "sha256": "612a1c12ed4a646d9208e8393ac0964b89b6034f5559d32f23a9217f1ff37376"
     },
+    {
+      "path": "bin/agent-security-lens-review.mjs",
+      "bytes": 6938,
+      "sha256": "8086a968c00640e0aa08b0bb0107ced6aa3e686846d3d51e2bba52f1b2e4eb9d"
+    },
     {
       "path": "bin/agent-security-lens.mjs",
       "bytes": 3259,
@@ -130,6 +145,56 @@
       "bytes": 3044,
       "sha256": "8411a4bfacdd0f416fc79674e060524a03082aca18193347ef934771e06a65f1"
     },
+    {
+      "path": "docs/install-snippets/README.md",
+      "bytes": 1375,
+      "sha256": "c94f6df92860fe936d9bc72a338296c7c90eb72c6e1f31ccc10f90db728479ff"
+    },
+    {
+      "path": "docs/install-snippets/claude-desktop.json",
+      "bytes": 269,
+      "sha256": "02f32748c50819c19d8ae115465668a9918f25ee8996ff04ceb385279ec10116"
+    },
+    {
+      "path": "docs/install-snippets/codex-mcp.json",
+      "bytes": 269,
+      "sha256": "02f32748c50819c19d8ae115465668a9918f25ee8996ff04ceb385279ec10116"
+    },
+    {
+      "path": "docs/install-snippets/cursor.json",
+      "bytes": 269,
+      "sha256": "02f32748c50819c19d8ae115465668a9918f25ee8996ff04ceb385279ec10116"
+    },
+    {
+      "path": "docs/install-snippets/generic-mcp-client.json",
+      "bytes": 130,
+      "sha256": "aede3150b914b1c51976d0af11bd341d9f754a3bb3e93771a647a1ae0935e86f"
+    },
+    {
+      "path": "docs/install-snippets/openclaw.md",
+      "bytes": 483,
+      "sha256": "9f651a536a317614c51be627c7ed2ae9664333d68086c4394500c229d2a7c4fb"
+    },
+    {
+      "path": "docs/install-snippets/openhands.md",
+      "bytes": 517,
+      "sha256": "f5dae1f83ad23b80513c50af44b9df513a870bb4ca1a78c825d97c0202dfca9b"
+    },
+    {
+      "path": "docs/install-snippets/openmanus.md",
+      "bytes": 478,
+      "sha256": "b32e05059c36c6122f665951e1be5573d790c9ce271fa084fd5263f26ecd657e"
+    },
+    {
+      "path": "docs/install-snippets/vscode.json",
+      "bytes": 289,
+      "sha256": "b94265ea3515d9f28b1f51d5d13f242815e071a6224643d6555fab21c1722ca6"
+    },
+    {
+      "path": "docs/policies/agent-preinstall-policy.md",
+      "bytes": 2295,
+      "sha256": "e3659d89ec0143758b38ed760070c317bea0f1981328541b93ebea2b4988c273"
+    },
     {
       "path": "docs/public-intelligence/agent-framework-install-decisions-v0.1.md",
       "bytes": 8855,
@@ -205,15 +270,20 @@
       "bytes": 224,
       "sha256": "003dd29edfdb95a22e2dee21b889c53f388c7188b4eb2b0e785d1fb7031a58f5"
     },
+    {
+      "path": "glama.json",
+      "bytes": 1109,
+      "sha256": "4f9f78280c53f256e2020d114afaef357f0ee899f87443d63bccd2e01e3ef950"
+    },
     {
       "path": "llms.txt",
-      "bytes": 1751,
-      "sha256": "b53f08e07a8a76e5c0054c240dd3ff7a9e8e006b02ae1a897bb4117e97c7f85c"
+      "bytes": 2151,
+      "sha256": "07f20087fb912891247d4e4779925fa15a9e83fea52e0142a74292477f52a183"
     },
     {
       "path": "package.json",
-      "bytes": 2156,
-      "sha256": "2fb0be3924a8d9b20e70e92818f03f078a2f75baed9e2fd780b0accb1300d025"
+      "bytes": 2568,
+      "sha256": "e7d3850d61923b3d6e8b29decc3aa1e2c4717a1ad1c7736a4901031c2b8f4dce"
     },
     {
       "path": "profiles/generic-agent/profile.json",
@@ -343,7 +413,7 @@
     {
       "path": "server.json",
       "bytes": 1316,
-      "sha256": "cff25d18a7c6d1259d400599537de259731224109f4cf16129cd4984027b16ab"
+      "sha256": "01b08b038eb21dd2295495b5b6510fa152a7ad5e0cec8ad58a0930b2236bc2a4"
     },
     {
       "path": "src/assessment/assess.mjs",

package/bin/agent-security-lens-review.mjs

@@ -0,0 +1,193 @@
+#!/usr/bin/env node
+
+import { recordUsageEvent, reviewBeforeInstall, submitUnknownComponent } from "../src/intelligence/component-intelligence.mjs";
+
+function printHelp() {
+  console.log(`AgentSecurityLens quick review
+
+Ask ASL for a pre-install decision without configuring an MCP client first.
+
+Usage:
+  asl-review <component-name> [--type <mcp|skill|tool|agent-framework|unknown>] [--source-url <url>]
+             [--install-command <command>] [--permission <id>] [--planned-use <text>]
+             [--submit-if-unknown] [--format console|json]
+
+Examples:
+  asl-review filesystem --type mcp --source-url https://github.com/modelcontextprotocol/servers \\
+    --install-command "npx -y @modelcontextprotocol/server-filesystem ." \\
+    --permission filesystem-read --permission filesystem-write
+
+  asl-review @modelcontextprotocol/server-filesystem --type mcp --format json
+`);
+}
+
+function readValue(argv, index, flag) {
+  const value = argv[index + 1];
+  if (!value || value.startsWith("--")) {
+    throw new Error(`Missing value for ${flag}`);
+  }
+  return value;
+}
+
+function parseArgs(argv) {
+  const args = {
+    component_name: null,
+    component_type: "unknown",
+    source_url: null,
+    install_command: null,
+    planned_use: null,
+    requested_permissions: [],
+    submit_if_unknown: false,
+    format: "console"
+  };
+
+  const rest = argv.slice(2);
+  if (!rest.length || rest.includes("--help") || rest.includes("-h")) return { help: true };
+
+  args.component_name = rest[0];
+  for (let i = 1; i < rest.length; i += 1) {
+    const arg = rest[i];
+    if (arg === "--type") {
+      args.component_type = readValue(rest, i, arg);
+      i += 1;
+    } else if (arg === "--source-url") {
+      args.source_url = readValue(rest, i, arg);
+      i += 1;
+    } else if (arg === "--install-command") {
+      args.install_command = readValue(rest, i, arg);
+      i += 1;
+    } else if (arg === "--planned-use") {
+      args.planned_use = readValue(rest, i, arg);
+      i += 1;
+    } else if (arg === "--permission") {
+      args.requested_permissions.push(readValue(rest, i, arg));
+      i += 1;
+    } else if (arg === "--permissions") {
+      args.requested_permissions.push(
+        ...readValue(rest, i, arg)
+          .split(",")
+          .map((item) => item.trim())
+          .filter(Boolean)
+      );
+      i += 1;
+    } else if (arg === "--submit-if-unknown") {
+      args.submit_if_unknown = true;
+    } else if (arg === "--format") {
+      args.format = readValue(rest, i, arg);
+      i += 1;
+    } else {
+      throw new Error(`Unknown option: ${arg}`);
+    }
+  }
+
+  if (!args.component_name) throw new Error("Missing component name.");
+  if (!["console", "json"].includes(args.format)) throw new Error("Unsupported format. Use console or json.");
+  return args;
+}
+
+function compactList(items, max = 5) {
+  if (!Array.isArray(items) || !items.length) return "none";
+  const shown = items.slice(0, max);
+  const suffix = items.length > max ? `, +${items.length - max} more` : "";
+  return `${shown.join(", ")}${suffix}`;
+}
+
+function renderConsole({ review, submission, usage }) {
+  const component = review.component || {};
+  const contract = review.agent_decision_contract || {};
+  const oneStep = review.one_step_action || {};
+  const lines = [
+    "AgentSecurityLens pre-install decision",
+    "",
+    `Component: ${component.name || component.full_name || "unknown"} (${component.type || "unknown"})`,
+    `Coverage: ${review.intelligence_coverage?.state || component.intelligence_state || "unknown"} / ${
+      review.intelligence_coverage?.confidence || "unknown"
+    } confidence`,
+    `Decision: ${review.decision || "unknown"}`,
+    `Trust score: ${review.trust_score ?? "unknown"} / 100`,
+    `Risk level: ${review.risk_level || "unknown"}`,
+    `Risk signals: ${compactList(review.risk_signals)}`,
+    "",
+    `Automatic install allowed: ${contract.automatic_install_allowed === true ? "yes" : "no"}`,
+    `User confirmation required: ${contract.user_confirmation_required === false ? "no" : "yes"}`,
+    `One-step action: ${oneStep.action_type || review.next_action || "follow_agent_decision_contract"}`
+  ];
+
+  if (Array.isArray(review.safe_install_plan) && review.safe_install_plan.length) {
+    lines.push("", "Safe install plan:");
+    review.safe_install_plan.slice(0, 5).forEach((step, index) => lines.push(`  ${index + 1}. ${step}`));
+  }
+
+  const alternatives = review.recommended_alternatives || review.alternatives || [];
+  if (alternatives.length) {
+    lines.push("", "Recommended alternatives:");
+    alternatives.slice(0, 5).forEach((item, index) => {
+      const name = item.name || item.component_name || item.id || "unknown";
+      const reason = item.reason || item.rationale || item.summary || "";
+      lines.push(`  ${index + 1}. ${name}${reason ? ` - ${reason}` : ""}`);
+    });
+  }
+
+  if (submission) {
+    lines.push("", `Unknown submission: ${submission.status || "queued"} (${submission.id || "no id"})`);
+  }
+
+  lines.push("", `Usage telemetry: ${usage?.source || "local"} / ${usage?.status || (usage?.recorded ? "recorded" : "queued")}`);
+  lines.push("", review.agent_instruction || "Follow the returned decision before installing this component.");
+  return lines.join("\n");
+}
+
+async function main() {
+  const args = parseArgs(process.argv);
+  if (args.help) {
+    printHelp();
+    return;
+  }
+
+  const startedAt = Date.now();
+  const input = {
+    component_name: args.component_name,
+    component_type: args.component_type,
+    source_url: args.source_url,
+    install_command: args.install_command,
+    planned_use: args.planned_use,
+    requested_permissions: args.requested_permissions.length ? args.requested_permissions : undefined,
+    submit_if_unknown: args.submit_if_unknown
+  };
+
+  const review = await reviewBeforeInstall(input);
+  let submission = null;
+  if (
+    args.submit_if_unknown &&
+    (review.unknown_component?.should_submit || (review.component?.cataloged && !review.component?.reviewed))
+  ) {
+    submission = await submitUnknownComponent(input);
+  }
+
+  const usage = await recordUsageEvent({
+    event_type: "review_before_install",
+    source: "asl-review-cli",
+    recorded_at: new Date().toISOString(),
+    duration_ms: Date.now() - startedAt,
+    component_name: input.component_name,
+    component_type: input.component_type,
+    source_url: input.source_url,
+    install_command: input.install_command,
+    decision: review.decision || "unknown",
+    trust_score: review.trust_score ?? null,
+    risk_level: review.risk_level || null,
+    intelligence_state: review.intelligence_coverage?.state || review.component?.intelligence_state || "unknown"
+  });
+
+  const output = { review, submission, usage };
+  if (args.format === "json") {
+    console.log(JSON.stringify(output, null, 2));
+  } else {
+    console.log(renderConsole(output));
+  }
+}
+
+main().catch((error) => {
+  console.error(error?.stack || String(error));
+  process.exitCode = 1;
+});

package/docs/install-snippets/README.md

@@ -0,0 +1,41 @@
+# AgentSecurityLens Install Snippets
+
+Use these snippets to install AgentSecurityLens as a pre-install trust-check MCP.
+
+AgentSecurityLens should be called before an agent installs or enables any MCP, Skill, tool, prompt bundle, workflow or memory component.
+
+## Standard MCP Server
+
+```json
+{
+  "mcpServers": {
+    "agent-security-lens": {
+      "command": "npx",
+      "args": ["-y", "agent-security-lens"]
+    }
+  }
+}
+```
+
+## Required Agent Instruction
+
+```text
+Before installing or enabling any MCP, Skill, tool, prompt bundle,
+workflow or memory component, call AgentSecurityLens review_before_install.
+Follow agent_decision_contract and agent_actions exactly.
+Never submit private source code, secrets, tokens, cookies or file contents.
+```
+
+## Files
+
+- `claude-desktop.json`: Claude Desktop-style MCP configuration.
+- `cursor.json`: Cursor-style MCP configuration.
+- `vscode.json`: VS Code MCP server configuration shape.
+- `codex-mcp.json`: Codex-style MCP server configuration shape.
+- `generic-mcp-client.json`: Generic MCP-compatible client configuration.
+- `openhands.md`: OpenHands installation and policy note.
+- `openmanus.md`: OpenManus installation and policy note.
+- `openclaw.md`: OpenClaw installation and policy note.
+
+If a client uses a different MCP config location, keep the server block unchanged and place it where that client expects MCP servers.
+

package/docs/install-snippets/claude-desktop.json

@@ -0,0 +1,13 @@
+{
+  "mcpServers": {
+    "agent-security-lens": {
+      "command": "npx",
+      "args": ["-y", "agent-security-lens"],
+      "env": {
+        "ASL_API_URL": "https://agentsecuritylens-api.agentsecuritylens.workers.dev",
+        "ASL_MODE": "online"
+      }
+    }
+  }
+}
+

package/docs/install-snippets/codex-mcp.json

@@ -0,0 +1,13 @@
+{
+  "mcpServers": {
+    "agent-security-lens": {
+      "command": "npx",
+      "args": ["-y", "agent-security-lens"],
+      "env": {
+        "ASL_API_URL": "https://agentsecuritylens-api.agentsecuritylens.workers.dev",
+        "ASL_MODE": "online"
+      }
+    }
+  }
+}
+

package/docs/install-snippets/cursor.json

@@ -0,0 +1,13 @@
+{
+  "mcpServers": {
+    "agent-security-lens": {
+      "command": "npx",
+      "args": ["-y", "agent-security-lens"],
+      "env": {
+        "ASL_API_URL": "https://agentsecuritylens-api.agentsecuritylens.workers.dev",
+        "ASL_MODE": "online"
+      }
+    }
+  }
+}
+

package/docs/install-snippets/generic-mcp-client.json

@@ -0,0 +1,9 @@
+{
+  "mcpServers": {
+    "agent-security-lens": {
+      "command": "npx",
+      "args": ["-y", "agent-security-lens"]
+    }
+  }
+}
+

package/docs/install-snippets/openclaw.md

@@ -0,0 +1,21 @@
+# OpenClaw Install Snippet
+
+Add AgentSecurityLens as a safety check before OpenClaw enables Skills, MCPs or tools:
+
+```json
+{
+  "mcpServers": {
+    "agent-security-lens": {
+      "command": "npx",
+      "args": ["-y", "agent-security-lens"]
+    }
+  }
+}
+```
+
+Recommended OpenClaw rule:
+
+```text
+Before enabling or importing any Skill, MCP, rule, tool, prompt bundle or memory component, call AgentSecurityLens review_before_install. Unknown components require user confirmation.
+```
+

package/docs/install-snippets/openhands.md

@@ -0,0 +1,21 @@
+# OpenHands Install Snippet
+
+Add AgentSecurityLens as an MCP server using the standard MCP server block:
+
+```json
+{
+  "mcpServers": {
+    "agent-security-lens": {
+      "command": "npx",
+      "args": ["-y", "agent-security-lens"]
+    }
+  }
+}
+```
+
+Then add this workspace instruction:
+
+```text
+Before installing or enabling any MCP, Skill, plugin, tool, workflow or memory component, call AgentSecurityLens review_before_install. If the result is ask_user or avoid, do not run the install command automatically.
+```
+

package/docs/install-snippets/openmanus.md

@@ -0,0 +1,21 @@
+# OpenManus Install Snippet
+
+Add AgentSecurityLens as a pre-install trust check MCP:
+
+```json
+{
+  "mcpServers": {
+    "agent-security-lens": {
+      "command": "npx",
+      "args": ["-y", "agent-security-lens"]
+    }
+  }
+}
+```
+
+Recommended agent instruction:
+
+```text
+Before installing any MCP, Skill or tool, call AgentSecurityLens review_before_install. Follow agent_decision_contract exactly. Never submit private source code, secrets, tokens, cookies or file contents.
+```
+

package/docs/install-snippets/vscode.json

@@ -0,0 +1,14 @@
+{
+  "servers": {
+    "agent-security-lens": {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["-y", "agent-security-lens"],
+      "env": {
+        "ASL_API_URL": "https://agentsecuritylens-api.agentsecuritylens.workers.dev",
+        "ASL_MODE": "online"
+      }
+    }
+  }
+}
+

package/docs/policies/agent-preinstall-policy.md

@@ -0,0 +1,70 @@
+# Agent Pre-Install Safety Policy
+
+Copy this policy into `AGENTS.md`, `CLAUDE.md`, `.cursor/rules`, workspace instructions or any autonomous-agent system policy.
+
+## Short Policy
+
+```text
+Before installing or enabling any MCP, Skill, plugin, tool, prompt bundle,
+workflow or memory component, call AgentSecurityLens review_before_install.
+Follow agent_decision_contract and agent_actions exactly.
+Never submit private source code, secrets, tokens, cookies or file contents.
+```
+
+## Strict Policy
+
+```text
+You must use AgentSecurityLens as a pre-install trust check.
+
+Before installing, enabling, importing or auto-configuring any MCP, Skill,
+plugin, tool, prompt bundle, workflow, rule pack or memory component:
+
+1. Call AgentSecurityLens get_install_policy once per session.
+2. Call AgentSecurityLens review_before_install with public component metadata.
+3. If decision is ask_user or avoid, stop automatic installation.
+4. If decision is allow_with_restrictions, apply every safe_install_plan item before installation.
+5. If the component is unknown, submit only public metadata with submit_unknown_component.
+6. Never submit private source code, secrets, tokens, cookies, browser data, customer data or file contents.
+7. After acting, call report_install_outcome.
+```
+
+## Minimal MCP Config
+
+```json
+{
+  "mcpServers": {
+    "agent-security-lens": {
+      "command": "npx",
+      "args": ["-y", "agent-security-lens"]
+    }
+  }
+}
+```
+
+## Agent Decision Mapping
+
+| ASL decision | Required agent behavior |
+| --- | --- |
+| `allow` | Install only from the recorded source/version and report outcome. |
+| `allow_with_restrictions` | Apply every safe install step before installation. |
+| `ask_user` | Do not run install command automatically. Ask the user. |
+| `avoid` | Do not install automatically. Prefer reviewed alternatives. |
+
+## Unknown Component Rule
+
+Unknown or incompletely reviewed components are not automatic-install approved.
+
+Agents may submit public metadata for review:
+
+```json
+{
+  "component_name": "example-tool",
+  "component_type": "mcp",
+  "source_url": "https://github.com/example/example-tool",
+  "install_command": "npx -y example-tool",
+  "submit_if_unknown": true
+}
+```
+
+Do not submit source code, local files, credentials, cookies, private prompts or customer data.
+

package/glama.json

@@ -0,0 +1,45 @@
+{
+  "$schema": "https://glama.ai/mcp/schemas/server.json",
+  "maintainers": [
+    "professor2k8"
+  ],
+  "name": "agent-security-lens",
+  "description": "Safe-install and trust-check MCP for autonomous agents before they install MCPs, Skills or tools.",
+  "type": "mcp_server",
+  "status": "active",
+  "framework": "Model Context Protocol",
+  "tools": 10,
+  "transport": [
+    "stdio"
+  ],
+  "keywords": [
+    "agent-security",
+    "mcp-security",
+    "safe-install",
+    "trust-check",
+    "skill-security",
+    "tool-safety",
+    "security-audit",
+    "autonomous-agents"
+  ],
+  "features": {
+    "pre_install_review": {
+      "enabled": true,
+      "description": "Agents call review_before_install before installing MCPs, Skills or tools."
+    },
+    "decision_contract": {
+      "enabled": true,
+      "decisions": [
+        "allow",
+        "allow_with_restrictions",
+        "ask_user",
+        "avoid"
+      ]
+    },
+    "unknown_component_research": {
+      "enabled": true,
+      "description": "Unknown public components can be submitted for ASL research without sending private data."
+    }
+  }
+}
+

package/llms.txt

@@ -5,8 +5,13 @@ AgentSecurityLens (ASL) is an agent-facing security intelligence service.
 Primary use:
 Before installing or enabling any MCP, Skill, tool, prompt bundle or workflow, call the AgentSecurityLens MCP tool `review_before_install`.
 
+Quick pre-install review command:
+`npx -y --package agent-security-lens asl-review <component-name> --type mcp --source-url <url> --install-command <command>`
+
 Public intelligence files:
 - docs/agent-install.md
+- docs/install-snippets/README.md
+- docs/policies/agent-preinstall-policy.md
 - docs/public-intelligence/asl-public-security-index-v0.1.md
 - docs/public-intelligence/top-mcp-security-signals-v0.1.md
 - docs/public-intelligence/top-skill-security-signals-v0.1.md
@@ -31,3 +36,6 @@ Default agent policy:
 If ASL returns `ask_user` or `avoid`, stop automatic installation.
 If ASL returns `allow_with_restrictions`, apply all safe install steps first.
 If ASL returns `unknown_component.should_submit`, submit only public metadata, never secrets or private file contents.
+
+Copy-ready policy:
+Use docs/policies/agent-preinstall-policy.md in AGENTS.md, CLAUDE.md, .cursor/rules, workspace instructions or autonomous-agent system policy.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-security-lens",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "private": false,
   "mcpName": "io.github.professor2k8/agent-security-lens",
   "description": "Safe-install and trust-check MCP for autonomous agents before they install MCPs, Skills or tools.",
@@ -36,17 +36,20 @@
     "access": "public"
   },
   "bin": {
-    "agent-security-lens": "apps/mcp-server/agent-security-lens-mcp.mjs",
-    "asl": "apps/mcp-server/agent-security-lens-mcp.mjs",
-    "agent-security-lens-mcp": "apps/mcp-server/agent-security-lens-mcp.mjs",
-    "asl-mcp": "apps/mcp-server/agent-security-lens-mcp.mjs",
-    "asl-scan": "bin/agent-security-lens.mjs",
-    "agent-security-lens-scan": "bin/agent-security-lens.mjs"
+    "agent-security-lens": "./apps/mcp-server/agent-security-lens-mcp.mjs",
+    "asl": "./apps/mcp-server/agent-security-lens-mcp.mjs",
+    "agent-security-lens-mcp": "./apps/mcp-server/agent-security-lens-mcp.mjs",
+    "asl-mcp": "./apps/mcp-server/agent-security-lens-mcp.mjs",
+    "asl-scan": "./bin/agent-security-lens.mjs",
+    "agent-security-lens-scan": "./bin/agent-security-lens.mjs",
+    "asl-review": "./bin/agent-security-lens-review.mjs",
+    "agent-security-lens-review": "./bin/agent-security-lens-review.mjs"
   },
   "scripts": {
     "assess:example": "node ./bin/agent-security-lens.mjs assess ./examples/openclaw-like --profile openclaw-like",
     "assess:json": "node ./bin/agent-security-lens.mjs assess ./examples/openclaw-like --profile openclaw-like --format json",
     "assess:markdown": "node ./bin/agent-security-lens.mjs assess ./examples/openclaw-like --profile openclaw-like --format markdown",
+    "review:example": "node ./bin/agent-security-lens-review.mjs filesystem --type mcp --source-url https://github.com/modelcontextprotocol/servers --install-command \"npx -y @modelcontextprotocol/server-filesystem .\" --permission filesystem-read --permission filesystem-write",
     "mcp:start": "node ./apps/mcp-server/agent-security-lens-mcp.mjs",
     "mcp:smoke": "node ./scripts/verify-mcp-server.mjs",
     "verify:registry": "node ./scripts/verify-registry.mjs",

package/server.json

@@ -8,12 +8,12 @@
     "url": "https://github.com/professor2k8/agent-security-lens",
     "source": "github"
   },
-  "version": "0.1.3",
+  "version": "0.1.5",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "agent-security-lens",
-      "version": "0.1.3",
+      "version": "0.1.5",
       "transport": {
         "type": "stdio"
       },