opena2a
mcp
Basarisiz
Health Gecti
- License — License: Apache-2.0
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Community trust — 13 GitHub stars
Code Basarisiz
- fs module — File system access in .github/workflows/release.yml
- rm -rf — Recursive force deletion command in docs/vhs/setup-lab.sh
- Hardcoded secret — Potential hardcoded credential in docs/vhs/setup-lab.sh
- rm -rf — Recursive force deletion command in packages/aim-core/package.json
Permissions Gecti
- Permissions — No dangerous permissions requested
Purpose
This is an open-source security platform and CLI designed to audit AI agents and MCP servers. It scans projects to find vulnerabilities, detect hardcoded credentials, manage cryptographic identities, and automatically fix root causes.
Security Assessment
The tool inherently interacts with sensitive data by design, as its primary function is to scan for exposed credentials and misconfigurations. The audit raised significant concerns regarding how it handles its own environment. There is a critical failure involving a hardcoded credential found within a lab setup script. Additionally, recursive force deletion (`rm -rf`) commands were detected in both this script and a core package configuration, which is a risky practice. While the package itself does not request dangerous permissions, it relies on executing shell commands to perform its automated fixes and system scans. The overall risk is rated as High due to the presence of hardcoded secrets and aggressive file deletion commands in the codebase.
Quality Assessment
The project is actively maintained, with its most recent code push occurring just today. It uses the permissive and standard Apache-2.0 license. However, the community trust level is currently very low, evidenced by only 13 GitHub stars, indicating limited public oversight and testing.
Verdict
Use with caution. While the project is active and recently updated, developers should carefully review the hardcoded credentials and destructive file deletion commands before integrating this into their workflows.
This is an open-source security platform and CLI designed to audit AI agents and MCP servers. It scans projects to find vulnerabilities, detect hardcoded credentials, manage cryptographic identities, and automatically fix root causes.
Security Assessment
The tool inherently interacts with sensitive data by design, as its primary function is to scan for exposed credentials and misconfigurations. The audit raised significant concerns regarding how it handles its own environment. There is a critical failure involving a hardcoded credential found within a lab setup script. Additionally, recursive force deletion (`rm -rf`) commands were detected in both this script and a core package configuration, which is a risky practice. While the package itself does not request dangerous permissions, it relies on executing shell commands to perform its automated fixes and system scans. The overall risk is rated as High due to the presence of hardcoded secrets and aggressive file deletion commands in the codebase.
Quality Assessment
The project is actively maintained, with its most recent code push occurring just today. It uses the permissive and standard Apache-2.0 license. However, the community trust level is currently very low, evidenced by only 13 GitHub stars, indicating limited public oversight and testing.
Verdict
Use with caution. While the project is active and recently updated, developers should carefully review the hardcoded credentials and destructive file deletion commands before integrating this into their workflows.
Open-source security tools for AI agents. Find vulnerabilities, fix root causes, prove compliance.
README.md
OpenA2A: CLI · HackMyAgent · Secretless · AIM · Browser Guard · DVAA
opena2a
Open-source security platform for AI agents. Installed as opena2a-cli on npm.
npx opena2a-cli review
OpenA2A Security Review v0.8.11
Findings
-----------------------------------------------
Credential scan 3 hardcoded keys
Shadow AI 2 agents, 4 MCP servers
Config integrity unsigned
Governance no SOUL.md
-----------------------------------------------
Security Score 30 / 100 -> 85 by running opena2a protect
Run: opena2a protect (fix all findings)
Install globally if you prefer:
npm install -g opena2a-cli
brew tap opena2a-org/tap && brew install opena2a
Built-in Help
You do not need this README. The CLI has built-in discovery:
opena2a ? # Contextual recommendations for your project
opena2a ~shadow ai # Semantic search across all commands
opena2a "find leaked credentials" # Natural language command matching
opena2a # Interactive guided wizard (no args)
Commands
| Command | What it does |
|---|---|
opena2a review |
Full security dashboard — HTML report, 6-phase assessment |
opena2a detect |
Find shadow AI agents, MCP servers, AI configs. Governance score. |
opena2a protect |
Fix everything — credentials, .gitignore, config signing |
opena2a init |
Read-only security assessment with trust score |
opena2a identity create |
Cryptographic identity for your project |
opena2a harden-soul |
Generate SOUL.md governance rules |
opena2a scan |
204 security checks via HackMyAgent |
opena2a shield init |
Full security setup — all of the above, one command |
Full command reference: opena2a.org/docs
Ecosystem
Each command routes to a specialized tool, installed on first use:
| Command | Tool | Description |
|---|---|---|
detect |
Shadow AI | Discover AI agents, MCP servers, AI configs |
identity |
AIM | Cryptographic identity, audit logs, trust scoring |
scan |
HackMyAgent | 204 security checks, 115 attack payloads, auto-fix |
scan-soul |
SOUL Scanner | 72 governance controls, 9 domains, 6 profiles |
harden-skill |
Skill Hardener | Frontmatter validation, permission scoping, integrity pinning |
secrets |
Secretless AI | Credential management for AI coding tools |
mcp |
MCP Security | Audit, sign, and verify MCP server configurations |
benchmark |
OASB | 222 attack scenarios, compliance scoring |
train |
DVAA | Vulnerable AI agent for security training |
create |
Skill Scaffolding | Secure skill templates with signing and heartbeat |
guard harden |
HackMyAgent | Scan skills for hardening issues, auto-fix |
Use Cases
- Developer using AI coding tools — 5 minutes
- Security team assessing AI risk — 10 minutes
- MCP server author — 15 minutes
- CI/CD pipeline integration
Docs
Full command reference, Shield subcommands, scope drift detection, behavioral governance, credential patterns, and CI/CD examples: opena2a.org/docs
Requirements
- Node.js >= 18
- Optional: Docker (for
opena2a train)
License
Apache-2.0
Yorumlar (0)
Yorum birakmak icin giris yap.
Yorum birakSonuc bulunamadi