npm - agentaudit - Versions diffs - 3.9.12 → 3.9.14 - Mend

agentaudit 3.9.12 → 3.9.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -1,5 +1,9 @@
 <div align="center">
+<img src="https://www.agentaudit.dev/banner-chameleon.png" alt="AgentAudit -- Security scanner for AI packages" width="100%">
+<br>
 # 🛡️ AgentAudit
 **Security scanner for AI packages — MCP server + CLI**
@@ -7,6 +11,7 @@
 Scan MCP servers, AI skills, and packages for vulnerabilities, prompt injection,
 and supply chain attacks. Powered by regex static analysis and deep LLM audits.
+[![AgentAudit](https://www.agentaudit.dev/api/badge/agentaudit-mcp)](https://www.agentaudit.dev/skills/agentaudit-mcp)
 [![npm version](https://img.shields.io/npm/v/agentaudit?style=for-the-badge&color=CB3837&logo=npm)](https://www.npmjs.com/package/agentaudit)
 [![Trust Registry](https://img.shields.io/badge/Trust_Registry-Live-00C853?style=for-the-badge)](https://agentaudit.dev)
 [![License](https://img.shields.io/badge/License-AGPL_3.0-F9A825?style=for-the-badge)](LICENSE)
@@ -454,10 +459,32 @@ Or use without installing: `npx agentaudit`
 ### Do I need an API key?
 - **Quick scan** (`scan`): No API key needed — runs locally with regex
-- **Deep audit** (`audit`): Needs `ANTHROPIC_API_KEY` or `OPENAI_API_KEY`
+- **Deep audit** (`audit`): Needs an LLM API key (see below)
 - **Registry lookup** (`lookup`): No key needed for reading; key needed for uploading reports
 - **MCP server**: No extra key needed — uses the host editor's LLM
+### Setting up your LLM key for deep audits
+The `audit` command supports **Anthropic (Claude)** and **OpenAI (GPT-4o)**. Set one of these environment variables:
+```bash
+# Linux / macOS
+export ANTHROPIC_API_KEY=sk-ant-...    # Recommended
+export OPENAI_API_KEY=sk-...           # Alternative
+# Windows (PowerShell)
+$env:ANTHROPIC_API_KEY = "sk-ant-..."
+$env:OPENAI_API_KEY = "sk-..."
+# Windows (CMD)
+set ANTHROPIC_API_KEY=sk-ant-...
+set OPENAI_API_KEY=sk-...
+```
+**Priority:** If both are set, Anthropic is used. The active provider is shown during the audit.
+**Troubleshooting:** If you see `API error: Incorrect API key`, double-check your key is valid and has credits. Use `--debug` to see the full API response.
 ### What data is sent externally?
 - **Registry lookups**: Package name/slug is sent to `agentaudit.dev` to check for existing audits
@@ -479,13 +506,15 @@ It checks standard config file locations for Claude Desktop, Cursor, VS Code, an
 ---
-## 🔗 Related Links
+## 🔗 Related
-- **Trust Registry**: [agentaudit.dev](https://agentaudit.dev)
-- **Leaderboard**: [agentaudit.dev/leaderboard](https://agentaudit.dev/leaderboard)
-- **Agent Skill**: [github.com/starbuck100/agentaudit-skill](https://github.com/starbuck100/agentaudit-skill) — Full agent skill with pre-install security gate, detection patterns & peer review system
-- **MCP Server Repository**: [github.com/starbuck100/agentaudit-mcp](https://github.com/starbuck100/agentaudit-mcp)
-- **Report Issues**: [GitHub Issues](https://github.com/starbuck100/agentaudit-mcp/issues)
+| | Project | Description |
+|---|---------|-------------|
+| 🌐 | [agentaudit.dev](https://agentaudit.dev) | Trust Registry -- browse packages, findings, leaderboard |
+| 🛡️ | [agentaudit-skill](https://github.com/starbuck100/agentaudit-skill) | Agent Skill -- pre-install security gate for Claude Code, Cursor, Windsurf |
+| ⚡ | [agentaudit-github-action](https://github.com/ecap0-ai/agentaudit-github-action) | GitHub Action -- CI/CD security scanning |
+| 📚 | [agentaudit-mcp](https://github.com/ecap0-ai/agentaudit-mcp) | This repo -- CLI + MCP server source |
+| 🐛 | [Report Issues](https://github.com/ecap0-ai/agentaudit-mcp/issues) | Bug reports and feature requests |
 ---
@@ -499,6 +528,6 @@ It checks standard config file locations for Claude Desktop, Cursor, VS Code, an
 **Protect your AI stack. Scan before you trust.**
-[Trust Registry](https://agentaudit.dev) · [Leaderboard](https://agentaudit.dev/leaderboard) · [Report Issues](https://github.com/starbuck100/agentaudit-mcp/issues)
+[Trust Registry](https://agentaudit.dev) · [Leaderboard](https://agentaudit.dev/leaderboard) · [Report Issues](https://github.com/ecap0-ai/agentaudit-mcp/issues)
 </div>

package/cli.mjs CHANGED Viewed

@@ -1543,11 +1543,37 @@ async function checkPackage(name) {
   if (!jsonMode) {
     const riskScore = data.risk_score ?? data.latest_risk_score ?? 0;
-    console.log(`  ${c.bold}${name}${c.reset}  ${riskBadge(riskScore)}`);
-    console.log(`  ${c.dim}Risk Score: ${riskScore}/100${c.reset}`);
-    if (data.source_url) console.log(`  ${c.dim}Source: ${data.source_url}${c.reset}`);
-    console.log(`  ${c.dim}Registry: ${REGISTRY_URL}/skills/${name}${c.reset}`);
+    const trustScore = data.trust_score ?? (100 - riskScore);
+    const totalFindings = data.total_findings ?? 0;
+    const totalReports = data.total_reports ?? 0;
+    // Package name + verdict
+    console.log(`  ${c.bold}${data.display_name || name}${c.reset}  ${riskBadge(riskScore)}`);
+    if (data.description) console.log(`  ${c.dim}${data.description}${c.reset}`);
+    console.log();
+    // Trust Score (the main metric)
+    const trustColor = trustScore >= 70 ? c.green : trustScore >= 40 ? c.yellow : c.red;
+    const trustLabel = trustScore >= 70 ? 'SAFE' : trustScore >= 40 ? 'CAUTION' : 'UNSAFE';
+    console.log(`  ${trustColor}${c.bold}${trustLabel}${c.reset}  ${trustColor}Trust Score: ${trustScore}/100${c.reset}  ${c.dim}(Risk: ${riskScore}/100)${c.reset}`);
+    // Findings summary
+    if (totalFindings > 0) {
+      const maxSev = data.latest_max_severity;
+      const sevStr = maxSev ? `max severity: ${severityColor(maxSev)}${maxSev}${c.reset}` : '';
+      console.log(`  ${c.dim}Findings: ${totalFindings}${sevStr ? ` (${sevStr}${c.dim})` : ''}${c.reset}`);
+    } else {
+      console.log(`  ${c.dim}Findings: 0 (clean)${c.reset}`);
+    }
+    // Audit info
+    console.log(`  ${c.dim}Reports: ${totalReports} | Last audited: ${data.last_audited_at ? new Date(data.last_audited_at).toLocaleDateString() : 'unknown'}${c.reset}`);
     if (data.has_official_audit) console.log(`  ${c.green}✔ Officially audited${c.reset}`);
+    // Links
+    console.log();
+    if (data.source_url) console.log(`  ${c.dim}Source:   ${data.source_url}${c.reset}`);
+    console.log(`  ${c.dim}Registry: ${REGISTRY_URL}/skills/${encodeURIComponent(name)}${c.reset}`);
     console.log();
   }
   return data;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "agentaudit",
-  "version": "3.9.12",
+  "version": "3.9.14",
   "description": "Security scanner for AI packages — MCP server + CLI",
   "type": "module",
   "bin": {