opena2a trust

Look up the trust profile and security posture of any AI agent or MCP server.

Prerequisites

Install the OpenA2A CLI globally:

npm install -g opena2a-cli

Usage

opena2a trust [package] [options]

Description

Queries the trust profile for a given package or the current project. Returns the trust score (0-100), trust level, security scan results, supply chain analysis, and declared capabilities. When run without arguments, reads package.json orpyproject.toml in the current directory.

Trust scores are synthesized from multiple signals: security scan findings (hardening checks, governance analysis, attack simulation), supply chain data (dependency risk, maintainer activity, version history), and community verification (ownership claims, published scan results).

Trust Levels

LevelDescription
discoveredPackage exists in a public index (npm, PyPI, GitHub). No security data yet.
scannedAutomated security scans have been run. Trust score reflects scan findings.
claimedA publisher has verified ownership. Identity linked via Ed25519 keypair.
verifiedPublisher identity confirmed through multiple channels. Scan results published.
certifiedFull OASB governance review completed. Meets baseline security requirements.

Flags

FlagDescription
--source <npm|pypi|github>Package source. Defaults to npm. Auto-detected from package name or URL if omitted.
--jsonOutput as JSON. Shorthand for --format json.
--verboseShow detailed breakdown of trust score components.
--registry-url <url>Override the trust profile endpoint.
--ciCI mode with deterministic output.

Examples

# Check trust for an npm package (npm is the default source)
opena2a trust express
# Scoped npm package
opena2a trust @anthropic/mcp-server-fetch
# Check trust for a PyPI package
opena2a trust langchain --source pypi
# GitHub URL auto-detected
opena2a trust https://github.com/anthropics/anthropic-sdk-node
# Check trust for current project (reads package.json)
opena2a trust
# JSON output for scripting
opena2a trust @anthropic/mcp-server-fetch --json

Example Output

  @anthropic/mcp-server-fetch

  Trust Score     72 / 100
  Trust Level     scanned
  Source          npm

  Security Posture
    Hardening         14/17 checks passed
    Governance        SOUL.md present, 3 policies defined
    Attack Surface    2 low-severity findings

  Supply Chain
    Dependencies      12 direct, 47 transitive
    Known Vulns       0 critical, 1 moderate
    Maintainers       2 active in last 90 days
    Last Published    2026-02-18

  Capabilities
    network           fetch HTTP/HTTPS resources
    filesystem        none declared

  Improve this score: opena2a claim @anthropic/mcp-server-fetch

Related

claimscanverifyImproving Your Trust Score