Package Exports
- ai-trust
- ai-trust/dist/index.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (ai-trust) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
OpenA2A: CLI · HackMyAgent · Secretless AI · AIM · Browser Guard · DVAA · Homebrew Tap · ai-trust
ai-trust
Trust verification CLI for AI packages. Queries the OpenA2A Registry trust graph for security scans, community consensus, dependency risk, and known advisories.
Installation
brew install opena2a-org/tap/ai-trustOr via npm:
npm install -g ai-trustOr run directly with npx:
npx ai-trust check @modelcontextprotocol/server-filesystemCommands
check
Look up the trust verdict for a single package.
ai-trust check @modelcontextprotocol/server-filesystemSpecify the package type explicitly:
ai-trust check my-agent --type a2a_agentScan on demand
When a package isn't in the registry, ai-trust can download and scan it locally using HackMyAgent. In interactive mode, you'll be prompted. In CI, use flags:
# Auto-scan unknown packages, contribute results to the community registry
ai-trust check mcp-server-xyz --scan-if-missing --contribute
# Force re-scan even if registry data exists
ai-trust check server-filesystem --rescan
# Disable scanning entirely (registry lookup only)
ai-trust check server-filesystem --no-scanaudit
Parse dependency files and batch-query all dependencies. Supports any .json file (package.json format) or .txt file (requirements.txt format). Unknown extensions are auto-detected.
ai-trust audit package.json
ai-trust audit requirements.txt
ai-trust audit deps/prod-deps.jsonSet a minimum trust level threshold (default: 3):
ai-trust audit package.json --min-trust 2Scan dependencies not found in the registry:
ai-trust audit package.json --scan-missing --contributebatch
Look up trust verdicts for multiple packages at once.
ai-trust batch express lodash chalk commanderFilter by package type (packages that don't match are excluded):
ai-trust batch my-server-a my-server-b --type mcp_serverOutput Options
Get raw JSON for scripting:
ai-trust check express --json
ai-trust audit package.json --jsonUse a custom registry URL:
ai-trust check express --registry-url http://localhost:8080Disable colored output:
ai-trust check express --no-colorExit Codes
| Code | Meaning |
|---|---|
| 0 | All queried packages meet the minimum trust threshold |
| 1 | Error (network failure, file not found, server error, package not found) |
| 2 | One or more packages fall below the minimum trust threshold (--min-trust) |
Trust Levels
| Level | Label | Description |
|---|---|---|
| 0 | Blocked | Package is blocked due to security concerns |
| 1 | Warning | Package has known issues |
| 2 | Listed | Package is listed but not yet scanned |
| 3 | Scanned | Package has been scanned by HackMyAgent |
| 4 | Verified | Package is verified by the publisher |
Requirements
- Node.js 18 or later
- HackMyAgent (optional, required for local scanning)
Development
git clone https://github.com/opena2a-org/ai-trust.git
cd ai-trust
npm install
npm run buildRun locally without installing globally:
node dist/index.js check expressLinks
License
Apache-2.0