mujin-agentlock 0.1.0

npm audit for your AI agent's extensions: inventory installed MCP servers/skills and flag known-vulnerable (OSV), abandoned, and unpinned ones in CI.

agentlock

npm audit for your AI agent's extensions. Inventory the MCP servers (and skills) your project has installed, resolve each to its npm/PyPI package, and flag the known-vulnerable, abandoned, and unpinned ones — with a CI gate.

You wire up MCP servers with npx -y some-server and uvx some-server and never think about them again. But they're third-party code with full tool access — and the supply chain is real: mcp-remote shipped CVE-2025-6514 (CVSS 9.6, OS command injection) with 437K+ weekly downloads. Generic SBOM scanners don't look at your agent layer. agentlock does.

pipx install mujin-agentlock

agentlock scan            # audit this project's MCP servers / skills
agentlock scan --global   # also include ~/.claude.json etc.

  remote-proxy  (mcp-server, .mcp.json)
      npm:mcp-remote@0.0.5  · vulnerable  [VULNERABLE]
      ! GHSA-6xpm-ggf7-wc3p (CVE-2025-6514)  OS command injection via untrusted MCP server connections
  everything  (mcp-server, .mcp.json)
      npm:@modelcontextprotocol/server-everything  · ok  [unpinned]

  3 extension(s): 1 vulnerable, 0 stale, 1 unpinned

What it checks

For each MCP server it can resolve to a registry package:

• Known vulnerabilities — queried against OSV.dev (free, no key).
• Abandoned / stale — no release in --stale-days (default 365), via the npm/PyPI registry.
• Unpinned — launched with a floating version (npx -y pkg), so you can't reproduce what runs.

Where it reads extensions from: .mcp.json, .cursor/mcp.json, .vscode/mcp.json, .claude/settings.json, .claude/skills/, and (--global) ~/.claude.json.

Honest scope

There is no MCP-specific advisory feed yet, so agentlock maps an MCP server to its underlying npm/PyPI package and audits that. It catches dependency CVEs (like the one above) and abandonment — it does not detect MCP-specific tool-poisoning in an otherwise-clean package. Local-path and remote-URL servers have no registry to audit and are listed as skipped. (For content risks in a specific skill/server, pair it with agentaudit.)

CI gate

# .github/workflows/agent-supply-chain.yml
jobs:
  agentlock:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with: { python-version: "3.11" }
      - run: pipx install mujin-agentlock
      - run: agentlock scan --fail-on vuln   # fail the build on a known-vulnerable extension

--fail-on {vuln,stale,unpinned,none}, --json, --offline (inventory only). Zero dependencies.

Part of a set

• agentaudit — audit an extension's code for risky patterns.
• agentsync — keep agent config files in sync.
• skillbudget — budget always-loaded context tokens.
• mcpdrift — catch MCP server contract drift.

agentaudit audits one extension's code; agentlock audits your whole fleet of installed extensions.

---

Built by Mujin Labs — tooling for the autonomous-agent era. MIT.