Metadata-Version: 2.4
Name: mujin-agentlock
Version: 0.1.0
Summary: npm audit for your AI agent's extensions: inventory installed MCP servers/skills and flag known-vulnerable (OSV), abandoned, and unpinned ones in CI.
Project-URL: Homepage, https://github.com/mujinlabs/agentlock
Project-URL: Issues, https://github.com/mujinlabs/agentlock/issues
Author: Mujin Labs
License: MIT
License-File: LICENSE
Keywords: ai-agents,ci,mcp,osv,sbom,security,supply-chain,vulnerability
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Topic :: Security
Requires-Python: >=3.9
Description-Content-Type: text/markdown

# agentlock

**`npm audit` for your AI agent's extensions.** Inventory the MCP servers (and skills)
your project has installed, resolve each to its npm/PyPI package, and flag the
known-vulnerable, abandoned, and unpinned ones — with a CI gate.

You wire up MCP servers with `npx -y some-server` and `uvx some-server` and never think
about them again. But they're third-party code with full tool access — and the supply
chain is real: `mcp-remote` shipped [CVE-2025-6514 (CVSS 9.6, OS command injection)](https://nvd.nist.gov/vuln/detail/CVE-2025-6514)
with 437K+ weekly downloads. Generic SBOM scanners don't look at your *agent* layer. agentlock does.

```bash
pipx install mujin-agentlock

agentlock scan            # audit this project's MCP servers / skills
agentlock scan --global   # also include ~/.claude.json etc.
```

```
  remote-proxy  (mcp-server, .mcp.json)
      npm:mcp-remote@0.0.5  · vulnerable  [VULNERABLE]
      ! GHSA-6xpm-ggf7-wc3p (CVE-2025-6514)  OS command injection via untrusted MCP server connections
  everything  (mcp-server, .mcp.json)
      npm:@modelcontextprotocol/server-everything  · ok  [unpinned]

  3 extension(s): 1 vulnerable, 0 stale, 1 unpinned
```

## What it checks

For each MCP server it can resolve to a registry package:

- **Known vulnerabilities** — queried against [OSV.dev](https://osv.dev) (free, no key).
- **Abandoned / stale** — no release in `--stale-days` (default 365), via the npm/PyPI registry.
- **Unpinned** — launched with a floating version (`npx -y pkg`), so you can't reproduce what runs.

Where it reads extensions from: `.mcp.json`, `.cursor/mcp.json`, `.vscode/mcp.json`,
`.claude/settings.json`, `.claude/skills/`, and (`--global`) `~/.claude.json`.

## Honest scope

There is no MCP-specific advisory feed yet, so agentlock maps an MCP server to its
**underlying npm/PyPI package** and audits that. It catches dependency CVEs (like the one
above) and abandonment — it does **not** detect MCP-specific tool-poisoning in an
otherwise-clean package. Local-path and remote-URL servers have no registry to audit and
are listed as skipped. (For *content* risks in a specific skill/server, pair it with
[agentaudit](https://github.com/mujinlabs/agentaudit).)

## CI gate

```yaml
# .github/workflows/agent-supply-chain.yml
jobs:
  agentlock:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with: { python-version: "3.11" }
      - run: pipx install mujin-agentlock
      - run: agentlock scan --fail-on vuln   # fail the build on a known-vulnerable extension
```

`--fail-on {vuln,stale,unpinned,none}`, `--json`, `--offline` (inventory only). Zero dependencies.

## Part of a set

- [**agentaudit**](https://github.com/mujinlabs/agentaudit) — audit an extension's *code* for risky patterns.
- [**agentsync**](https://github.com/mujinlabs/agentsync) — keep agent config files in sync.
- [**skillbudget**](https://github.com/mujinlabs/skillbudget) — budget always-loaded context tokens.
- [**mcpdrift**](https://github.com/mujinlabs/mcpdrift) — catch MCP server contract drift.

agentaudit audits *one* extension's code; agentlock audits your whole *fleet* of installed extensions.

---

Built by **[Mujin Labs](https://github.com/mujinlabs)** — tooling for the autonomous-agent era. MIT.
