Package Exports
- ai-trust
- ai-trust/dist/index.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (ai-trust) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
OpenA2A: CLI · HackMyAgent · Secretless · AIM · Browser Guard · DVAA
ai-trust
Trust verification CLI for AI packages. Queries the OpenA2A Registry trust graph for security scans, community consensus, dependency risk, and known advisories.
Installation
brew install opena2a-org/tap/ai-trustOr via npm:
npm install -g ai-trustOr run directly with npx:
npx ai-trust check @modelcontextprotocol/server-filesystemFor a full security dashboard covering trust, credentials, shadow AI, and more:
npx opena2a-cli reviewQuick Start
ai-trust check @modelcontextprotocol/server-filesystemExpected output:
@modelcontextprotocol/server-filesystem
Trust Level: 3 (Scanned)
Score: 74/100
Verdict: safe
Scanned: 2026-03-01
Findings: 0 critical, 0 high, 2 medium
Built-in Help
ai-trust --help # All commands and flags
ai-trust --version # Current version
ai-trust [command] -h # Help for a specific commandCommands
check
Look up the trust verdict for a single package.
ai-trust check @modelcontextprotocol/server-filesystem
ai-trust check my-custom-agent --type a2a_agent
ai-trust check express --json # JSON output for scriptingMCP Server Trust
MCP servers are the most common trust query. Use shorthand to skip the full @modelcontextprotocol/ scope:
# These are equivalent:
ai-trust check server-filesystem
ai-trust check @modelcontextprotocol/server-filesystem
# Third-party MCP servers use their own package names:
ai-trust check mcp-server-kubernetes
ai-trust check @supabase/mcp-server-supabase
ai-trust check @cloudflare/mcp-server-cloudflareShorthand rule: server-* resolves to @modelcontextprotocol/server-*. Third-party mcp-server-* packages are looked up by their actual name.
Scan on demand
When a package is not in the registry, ai-trust can download and scan it locally using HackMyAgent. In interactive mode, you will be prompted. In CI, use flags:
# Auto-scan unknown packages, contribute results to the community registry
ai-trust check mcp-server-xyz --scan-if-missing --contribute
# Force re-scan even if registry data exists
ai-trust check server-filesystem --rescan
# Disable scanning entirely (registry lookup only)
ai-trust check server-filesystem --no-scanaudit
Parse dependency files and batch-query all dependencies. Supports any .json file (package.json format) or .txt file (requirements.txt format).
ai-trust audit package.json
ai-trust audit requirements.txt
ai-trust audit package.json --min-trust 2 # set minimum trust threshold (default: 3)
ai-trust audit package.json --scan-missing --contribute # scan deps not in registrybatch
Look up trust verdicts for multiple packages at once.
ai-trust batch express lodash chalk commander
ai-trust batch my-server-a my-server-b --type mcp_serverOutput Options
ai-trust check express --json # JSON output for scripting
ai-trust audit package.json --json # JSON audit output
ai-trust check express --no-color # disable colored output
ai-trust check express --registry-url http://localhost:8080 # custom registryCommunity Contribution
Every scan you run can improve trust data for the entire community. Scan results are shared as anonymized telemetry (check pass/fail and severity only -- no file paths, source code, or descriptions).
On first scan, ai-trust asks whether you want to contribute. Your choice is saved in ~/.opena2a/config.json and shared across all OpenA2A tools (opena2a-cli, hackmyagent).
# Contribute for this scan (non-interactive / CI)
ai-trust check chalk --rescan --contribute
# Configure globally via opena2a-cli
opena2a config set contribute true # opt in
opena2a config set contribute false # opt outThe more scans contributed, the faster packages move from "Listed" to "Scanned" trust level, reducing risk for everyone.
Trust Levels
| Level | Label | Description |
|---|---|---|
| 0 | Blocked | Package is blocked due to security concerns |
| 1 | Warning | Package has known issues |
| 2 | Listed | Package is listed but not yet scanned |
| 3 | Scanned | Package has been scanned by HackMyAgent |
| 4 | Verified | Package is verified by the publisher |
Exit Codes
| Code | Meaning |
|---|---|
| 0 | All queried packages are safe / meet the trust threshold |
| 1 | Operational error (network failure, file not found, server error) |
| 2 | Policy signal: one or more packages have warning/blocked verdict or fall below --min-trust |
Requirements
- Node.js 18 or later
- HackMyAgent (optional, required for local scanning)
Development
git clone https://github.com/opena2a-org/ai-trust.git
cd ai-trust && npm install && npm run build
node dist/index.js check express # run locally without installingUse Cases
Step-by-step guides for common workflows:
- Check if a package is safe before installing
- Verify an MCP server's trust score
- Contribute trust data to the community
See docs/USE-CASES.md for the full index.
Links
- OpenA2A Registry — trust scores and scan data
- OpenA2A CLI — unified security CLI
- HackMyAgent — local scanning for unverified packages
- opena2a.org — full platform
License
Apache-2.0