agent-security-lens 0.1.7 → 0.1.8

package/.mcp/server.json

@@ -8,12 +8,12 @@
     "url": "https://github.com/professor2k8/agent-security-lens",
     "source": "github"
   },
-  "version": "0.1.7",
+  "version": "0.1.8",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "agent-security-lens",
-      "version": "0.1.7",
+      "version": "0.1.8",
       "transport": {
         "type": "stdio"
       },

package/CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## 0.1.8
+
+- Add copy-ready first-call examples for 10 common MCP install decisions.
+- Link first-call examples from README and `llms.txt` so agents can discover concrete ASL review commands.
+
 ## 0.1.7
 
 - Add root `AGENTS.md` so autonomous coding agents can discover ASL's pre-install policy directly from the repository.

package/README.md

@@ -36,6 +36,10 @@ The command returns an agent-readable decision, trust score, risk signals, safe
 
 If your shell does not expose npm temporary binaries correctly, use `npm install -g agent-security-lens` once, then run the same command without `npx -y`.
 
+More copy-ready calls:
+
+- [MCP first-call examples](docs/public-intelligence/mcp-first-call-examples-v0.1.md)
+
 Add ASL as a pre-install trust check MCP:
 
 ```json
@@ -73,6 +77,7 @@ The public package includes a reviewed baseline so agents can still make conserv
 - [Top MCP Security Signals v0.1](docs/public-intelligence/top-mcp-security-signals-v0.1.md)
 - [Top Skill Security Signals v0.1](docs/public-intelligence/top-skill-security-signals-v0.1.md)
 - [Agent Framework Install Decisions v0.1](docs/public-intelligence/agent-framework-install-decisions-v0.1.md)
+- [MCP First-Call Examples v0.1](docs/public-intelligence/mcp-first-call-examples-v0.1.md)
 
 The online ASL intelligence API serves the current expanded catalog. The npm package intentionally does not ship the complete private intelligence database.
 

package/RELEASE-MANIFEST.json

@@ -1,8 +1,8 @@
 {
   "schema_version": "0.1.0",
   "package": "agent-security-lens",
-  "version": "0.1.7",
-  "generated_at": "2026-06-24T12:50:23.177Z",
+  "version": "0.1.8",
+  "generated_at": "2026-06-25T04:55:00.570Z",
   "source": "ASL verified public release exporter",
   "files": [
     {
@@ -48,7 +48,7 @@
     {
       "path": ".mcp/server.json",
       "bytes": 1316,
-      "sha256": "3cf970a92c19c20fbe5fefee92567c51d17543eb97759c44868c44a437b42d0c"
+      "sha256": "a9dee7dbc493a6d4ebf6ceadf67d569c41cd5c1e0b7b63addf715845ed1595d8"
     },
     {
       "path": ".npmignore",
@@ -62,8 +62,8 @@
     },
     {
       "path": "CHANGELOG.md",
-      "bytes": 2885,
-      "sha256": "d56741889411dee507051c142ee4f0f8190339822b4ef854d9aa807950162793"
+      "bytes": 3077,
+      "sha256": "24dc14cfab212aff8e76624a9783533823fde9205234f6c4b507b96d87d6c2e6"
     },
     {
       "path": "CODE_OF_CONDUCT.md",
@@ -92,8 +92,8 @@
     },
     {
       "path": "README.md",
-      "bytes": 7872,
-      "sha256": "bc3369565c4dd316cf8c0faa988c1c03c8b6ac1791d2d72ad0d8b1e7a9b328d6"
+      "bytes": 8074,
+      "sha256": "4b7bd80bb553596693f5684341aeda4e61331e8f32c2f21fe0916edfefd521d3"
     },
     {
       "path": "SECURITY.md",
@@ -215,6 +215,11 @@
       "bytes": 11404,
       "sha256": "828fdcd367057a3b5583a80dc095b5e5365ef5e5f947ccf6ba95d964a1f50403"
     },
+    {
+      "path": "docs/public-intelligence/mcp-first-call-examples-v0.1.md",
+      "bytes": 5457,
+      "sha256": "758bccdb7f962089549bb1d97be6479eaa497a12207643fb70d00e9d024cd71f"
+    },
     {
       "path": "docs/public-intelligence/top-mcp-security-signals-v0.1.md",
       "bytes": 11894,
@@ -282,13 +287,13 @@
     },
     {
       "path": "llms.txt",
-      "bytes": 2744,
-      "sha256": "6513087b9ad8a749c782077fe2c114f9d9e169304c2bf591e2b725271e486b91"
+      "bytes": 2803,
+      "sha256": "8e15f959d9f2a24155b606136d4c53d7029e97d948904f8874e393e58541ea78"
     },
     {
       "path": "package.json",
       "bytes": 2568,
-      "sha256": "145efff93b3c7605596f123906630165ee61598a2000f3e4b8fca13ab4c36448"
+      "sha256": "8eb4b7416328821604b823bdb9f3676e46b00dfdd12733d64fc65b8a1623d376"
     },
     {
       "path": "profiles/generic-agent/profile.json",
@@ -418,7 +423,7 @@
     {
       "path": "server.json",
       "bytes": 1316,
-      "sha256": "3cf970a92c19c20fbe5fefee92567c51d17543eb97759c44868c44a437b42d0c"
+      "sha256": "a9dee7dbc493a6d4ebf6ceadf67d569c41cd5c1e0b7b63addf715845ed1595d8"
     },
     {
       "path": "src/assessment/assess.mjs",

package/docs/public-intelligence/mcp-first-call-examples-v0.1.md

@@ -0,0 +1,169 @@
+# MCP First-Call Examples
+
+These examples are for agents that need a fast pre-install decision before enabling an MCP server.
+
+Run the command, read `agent_decision_contract`, and do not install automatically when `automatic_install_allowed` is `false`.
+
+## Example Commands
+
+### Filesystem
+
+```bash
+npx -y agent-security-lens review filesystem \
+  --type mcp \
+  --source-url https://github.com/modelcontextprotocol/servers \
+  --install-command "npx -y @modelcontextprotocol/server-filesystem ." \
+  --permission filesystem-read \
+  --permission filesystem-write
+```
+
+Observed ASL summary: `ask_user`, trust score `8`, risk level `high`, coverage `curated_baseline`.
+
+Primary signals: `filesystem-read`, `filesystem-write`, `subprocess-spawn`, `shell-execution`, `network-access`.
+
+### GitHub
+
+```bash
+npx -y agent-security-lens review github \
+  --type mcp \
+  --source-url https://github.com/modelcontextprotocol/servers \
+  --install-command "npx -y @modelcontextprotocol/server-github" \
+  --permission network-access \
+  --permission credentials-access
+```
+
+Observed ASL summary: `ask_user`, trust score `12`, risk level `medium`, coverage `curated_baseline`.
+
+Primary signals: `network-access`, `credential-access`, `repository-write`, `shell-execution`.
+
+### Postgres
+
+```bash
+npx -y agent-security-lens review postgres \
+  --type mcp \
+  --source-url https://github.com/modelcontextprotocol/servers \
+  --install-command "npx -y @modelcontextprotocol/server-postgres" \
+  --permission network-access \
+  --permission db-access
+```
+
+Observed ASL summary: `ask_user`, trust score `10`, risk level `high`, coverage `curated_baseline`.
+
+Primary signals: `database-access`, `credential-access`, `data-exposure-risk`, `shell-execution`, `network-access`.
+
+### MongoDB
+
+```bash
+npx -y agent-security-lens review mongodb \
+  --type mcp \
+  --source-url https://github.com/mongodb-js/mongodb-mcp-server \
+  --install-command "npx -y mongodb-mcp-server" \
+  --permission network-access \
+  --permission db-access
+```
+
+Observed ASL summary: `ask_user`, trust score `22`, risk level `medium`, coverage `monitored`.
+
+Primary signals: `shell-execution`, `network-access`, `catalog-unreviewed`.
+
+### Supabase
+
+```bash
+npx -y agent-security-lens review supabase \
+  --type mcp \
+  --source-url https://github.com/supabase-community/supabase-mcp \
+  --install-command "npx -y @supabase/mcp-server-supabase" \
+  --permission network-access \
+  --permission db-access \
+  --permission credentials-access
+```
+
+Observed ASL summary: `ask_user`, trust score `22`, risk level `medium`, coverage `candidate`.
+
+Primary signals: `shell-execution`, `network-access`, `catalog-unreviewed`.
+
+### Grafana
+
+```bash
+npx -y agent-security-lens review grafana \
+  --type mcp \
+  --source-url https://github.com/grafana/mcp-grafana \
+  --install-command "npx -y mcp-grafana" \
+  --permission network-access \
+  --permission credentials-access
+```
+
+Observed ASL summary: `ask_user`, trust score `17`, risk level `medium`, coverage `unknown`.
+
+Primary signals: `shell-execution`, `network-access`, `unknown-source`.
+
+### Slack
+
+```bash
+npx -y agent-security-lens review slack \
+  --type mcp \
+  --source-url https://github.com/modelcontextprotocol/servers \
+  --install-command "npx -y @modelcontextprotocol/server-slack" \
+  --permission network-access \
+  --permission credentials-access
+```
+
+Observed ASL summary: `ask_user`, trust score `11`, risk level `medium`, coverage `curated_baseline`.
+
+Primary signals: `network-access`, `credential-access`, `message-read`, `message-write`, `shell-execution`.
+
+### Brave Search
+
+```bash
+npx -y agent-security-lens review brave-search \
+  --type mcp \
+  --source-url https://github.com/modelcontextprotocol/servers \
+  --install-command "npx -y @modelcontextprotocol/server-brave-search" \
+  --permission network-access \
+  --permission credentials-access
+```
+
+Observed ASL summary: `ask_user`, trust score `12`, risk level `medium`, coverage `curated_baseline`.
+
+Primary signals: `network-access`, `external-api`, `credential-access`, `shell-execution`.
+
+### Puppeteer
+
+```bash
+npx -y agent-security-lens review puppeteer \
+  --type mcp \
+  --source-url https://github.com/modelcontextprotocol/servers \
+  --install-command "npx -y @modelcontextprotocol/server-puppeteer" \
+  --permission browser-access \
+  --permission network-access
+```
+
+Observed ASL summary: `ask_user`, trust score `10`, risk level `high`, coverage `curated_baseline`.
+
+Primary signals: `browser-access`, `network-access`, `credential-access`, `form-submission`, `shell-execution`.
+
+### Memory
+
+```bash
+npx -y agent-security-lens review memory \
+  --type mcp \
+  --source-url https://github.com/modelcontextprotocol/servers \
+  --install-command "npx -y @modelcontextprotocol/server-memory" \
+  --permission memory-access \
+  --permission filesystem-write
+```
+
+Observed ASL summary: `ask_user`, trust score `13`, risk level `medium`, coverage `unknown`.
+
+Primary signals: `shell-execution`, `filesystem-write`, `network-access`, `unknown-source`.
+
+## Agent Rule
+
+Do not treat `ask_user` as failure. It means ASL found install-time exposure that requires explicit user approval, restrictions, or a reviewed alternative.
+
+For every result, agents should execute:
+
+1. Read `agent_decision_contract`.
+2. Apply `safe_install_plan`.
+3. Ask the user if `user_confirmation_required` is true.
+4. Call `report_install_outcome` after the final install, block, skip or failure.

package/llms.txt

@@ -20,6 +20,7 @@ Public intelligence files:
 - docs/agent-install.md
 - docs/install-snippets/README.md
 - docs/policies/agent-preinstall-policy.md
+- docs/public-intelligence/mcp-first-call-examples-v0.1.md
 - docs/public-intelligence/asl-public-security-index-v0.1.md
 - docs/public-intelligence/top-mcp-security-signals-v0.1.md
 - docs/public-intelligence/top-skill-security-signals-v0.1.md

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-security-lens",
-  "version": "0.1.7",
+  "version": "0.1.8",
   "private": false,
   "mcpName": "io.github.professor2k8/agent-security-lens",
   "description": "Safe-install and trust-check MCP for autonomous agents before they install MCPs, Skills or tools.",

package/server.json

@@ -8,12 +8,12 @@
     "url": "https://github.com/professor2k8/agent-security-lens",
     "source": "github"
   },
-  "version": "0.1.7",
+  "version": "0.1.8",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "agent-security-lens",
-      "version": "0.1.7",
+      "version": "0.1.8",
       "transport": {
         "type": "stdio"
       },