Agent Bom MCP Server

@mcp/server-fs

Open security platform for agentic infrastructure — broad scanning, blast radius, runtime, and trust

20 0 tools GitHub npm PyPI

No known CVEs

No license

Actively maintained

Last commit 0d ago

Works with most clients

Transport: stdio, http

0 tools

Grade F

Edit this pageView history

Security DevOps

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "agent-bom": {
      "args": [
        "agent-bom",
        "mcp",
        "server"
      ],
      "command": "uvx"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/io-github-msaad00-agent-bom)](https://mcppedia.org/s/io-github-msaad00-agent-bom)

Read me

What Agent Bom MCP Server does

Open security platform for agentic infrastructure — broad scanning, blast radius, runtime, and trust

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

npx -y '@mcp/server-fs' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

54/100across 5 weighted dimensions

How we score →

0255075100

−46

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

No known CVEs.

Checked @mcp/server-fs against OSV.dev.

Help improve this page

This server is missing a description. Tools and install config are also missing.If you've used it, help the community.

Add information

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Agent Bom MCP Server safe to use?: Agent Bom MCP Server has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.
How do I install Agent Bom MCP Server?: Agent Bom MCP Server supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What AI clients work with Agent Bom MCP Server?: Agent Bom MCP Server is compatible with claude-desktop, cursor, claude-code. It uses stdio and http transport.
Is Agent Bom MCP Server actively maintained?: Agent Bom MCP Server is actively maintained — last commit was 0 days ago. It has 20 GitHub stars.

Similar servers

Others in security / devops

View all →

Mcp Gitlab96

MCP server for using the GitLab API

1.6k 12

Evil Mcp Server93

An evil MCP server used for redteam testing

30 1

Alibabacloud Devops Mcp Server92

Yunxiao MCP Server provides AI assistants with the ability to interact with the Yunxiao platform. It provides a set of tools that interact with Yunxiao's API, allowing AI assistants to manage Codeup repository, Project, Pipeline, Packages etc.

116 7

Mcp Gitlab Server92

Enhanced MCP server for GitLab: group projects listing and activity tracking

51 2

MCP Security Weekly

Get CVE alerts and security updates for Agent Bom MCP Server and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

First Run

pip install agent-bom agent-bom quickstart --dry-run --offline # print the onboarding plan agent-bom quickstart --run --offline # write sample, scan, seed gateway policy, populate the cockpit agent-bom agents --demo --offline

The demo uses real OSV/GHSA advisories against intentionally vulnerable sample packages and produces graph-ready inventory without touching your source tree. For a real local scan:

agent-bom agents -p . -f html -o agent-bom-report.html

Want an inspectable sample stack first?

agent-bom samples first-run agent-bom agents --inventory agent-bom-first-run/inventory.json -p agent-bom-first-run --enrich

See docs/FIRST_RUN.md for the guided path from CLI output to the dashboard.

Frequently Asked Questions

Is Agent Bom MCP Server safe to use?

Agent Bom MCP Server has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.

How do I install Agent Bom MCP Server?

Agent Bom MCP Server supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.

What AI clients work with Agent Bom MCP Server?

Agent Bom MCP Server is compatible with claude-desktop, cursor, claude-code. It uses stdio and http transport.

Is Agent Bom MCP Server actively maintained?

Agent Bom MCP Server is actively maintained — last commit was 0 days ago. It has 20 GitHub stars.

Open security scanner and self-hosted control plane for AI/MCP infrastructure.

Headless agent primitives and human cockpit surfaces over the same evidence model.

Docs · First Run · Self-host · GitHub Action · Docker · Changelog

agent-bom scans local and fleet AI infrastructure, builds an AI BOM across agents, MCP servers, tools, packages, credential environment names, cloud, runtime, and skills, then turns that inventory into findings, compliance evidence, and graph-backed exposure paths.

The same evidence is available through CLI/CI, REST API, MCP tools, and a self-hosted dashboard. Runtime proxy/gateway controls are optional and scoped to environments where enforcement is worth the operational cost.

package -> vulnerability finding -> MCP server -> tools + credential refs -> agent

Blast radius is the core idea. A vulnerable package is not just a CVE row; it is linked to the MCP server that loads it, the tools exposed by that server, the credential environment names in reach, and the agents that can call it.

First Run

pip install agent-bom
agent-bom quickstart --dry-run --offline   # print the onboarding plan
agent-bom quickstart --run --offline        # write sample, scan, seed gateway policy, populate the cockpit
agent-bom agents --demo --offline

The demo uses real OSV/GHSA advisories against intentionally vulnerable sample packages and produces graph-ready inventory without touching your source tree. For a real local scan:

agent-bom agents -p . -f html -o agent-bom-report.html

Want an inspectable sample stack first?

agent-bom samples first-run
agent-bom agents --inventory agent-bom-first-run/inventory.json -p agent-bom-first-run --enrich

See docs/FIRST_RUN.md for the guided path from CLI output to the dashboard.

... View full README on GitHub