npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

agent-cognicheck

v0.2.0

Published

Local-first security and cognitive-risk scanner for MCP tools and agent skills with ToolBOM, attack harness, and policy checks.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

gowrav_mgowrav_m

Keywords

ai-agentsmcpmcp-securityagent-securityprompt-injectiontool-poisoningunicode-securityai-agents-securitymodel-context-protocolllm-securitydevsecopslocal-firstsupply-chainclisarif

Readme

agent-cognicheck

CI Node 22+ License MIT Local first MCP security

Local-first security and cognitive-risk scanner for MCP tools and agent skills.

Agent tools are executable trust boundaries. A safe-looking MCP server or skill can hide prompt-injection text, invisible Unicode, overbroad tokens, shell access, or source-to-webhook exfiltration paths. agent-cognicheck turns those risks into repeatable local tests before agents touch the tools.

agent-cognicheck terminal demo

Agent Trust Suite

flowchart LR
  A["agent-endpoint-doctor"] --> F["agent-trust-center"]
  B["nim-doctor"] --> F
  C["agent-cognicheck"] --> F
  D["agent-skillguard"] --> F
  E["agentops-watchtower"] --> F
  F --> G["one trust report"]
  F --> H["CI gate"]

Cognicheck contributes cognitive/tool attack evidence to Agent Trust Center through npx agent-cognicheck evidence.

Quickstart

npx agent-cognicheck demo
npx agent-cognicheck attack ./examples --fail-on high
npx agent-cognicheck report ./examples
Cognicheck demo complete
Decision: BLOCK
Tools: 8
Attack failures: 5
Wrote .cognicheck/reports/cognicheck-report.json
Wrote .cognicheck/reports/cognicheck-report.md
Wrote .cognicheck/reports/cognicheck-report.html

Three-Step Scan

# 1. Discover MCP tools, configs, and skills
npx agent-cognicheck discover ./examples

# 2. Run cognitive security checks
npx agent-cognicheck lint ./examples --fail-on high

# 3. Run the local attack harness
npx agent-cognicheck attack ./examples --fail-on high

Why This Exists

Teams are plugging MCP servers, coding-agent tools, and skills into Claude Code, Codex, Cursor, Copilot, LangChain, and internal agents faster than they can review them. Checklists are useful, but they do not fail CI. Observability is useful, but it often starts after the risky tool is already connected.

agent-cognicheck is the missing front-door test lab:

  • Discovers MCP descriptors, MCP server configs, and agent skills.
  • Builds a local ToolBOM/SkillBOM.
  • Lints cognitive risk: tool poisoning, secret exfiltration, weak schemas, broad capabilities, overprivileged tokens.
  • Scans for hidden Unicode and bidirectional text payloads.
  • Runs deterministic attack scenarios for prompt injection, source-to-sink exfiltration, shell execution, and open-world network tools.
  • Writes JSON, Markdown, and HTML evidence for PRs, audits, and CI gates.

Positioning

This is not another agent framework and not another dashboard. It is a local-first security harness for the tool layer.

agent-cognicheck      pre-deployment tool/skill attack lab
agent-skillguard      skill supply chain, passport, lock, admission
agentops-watchtower   runtime evidence, attack graph, firewall

Use the trilogy together:

  • Run agent-cognicheck before connecting tools and skills to an agent.
  • Use agent-skillguard to approve, lock, passport, and baseline reviewed skills.
  • Use agentops-watchtower to record runtime behavior, enforce capability firewalls, and preserve evidence.

Commands

agent-cognicheck init
agent-cognicheck demo
agent-cognicheck discover ./agent-stack
agent-cognicheck bom ./agent-stack
agent-cognicheck lint ./agent-stack --fail-on high
agent-cognicheck unicode-scan ./agent-stack --fail-on high
agent-cognicheck attack ./agent-stack --fail-on high
agent-cognicheck policy check ./agent-stack --fail-on high
agent-cognicheck report ./agent-stack
agent-cognicheck doctor

What It Detects

| Risk | Example | | --- | --- | | Tool poisoning | Tool text says "ignore previous instructions" or silently changes selection behavior. | | Secret exfiltration | Secret access appears in the same stack as network/webhook publishing. | | Hidden Unicode | Bidirectional or invisible controls hide instructions from reviewers. | | Overprivileged MCP config | Broad tokens are exposed to MCP servers. | | Ungated shell | A shell-capable tool lacks approval language. | | Open-world network | Tools can fetch or post to arbitrary URLs without allowlists. | | Weak schemas | MCP tools omit strict input schemas. | | Broad capability surface | One tool combines too many high-power capabilities. |

Report Preview

flowchart LR
  A["MCP config / skill folder"] --> B["ToolBOM"]
  B --> C["Cognitive lint"]
  B --> D["Unicode scan"]
  B --> E["Attack harness"]
  C --> F["Policy gate"]
  D --> F
  E --> F
  F --> G["JSON / Markdown / HTML evidence"]

CI Example

name: cognicheck
on: [pull_request]
jobs:
  agent-cognicheck:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
      - run: npx agent-cognicheck attack ./examples --fail-on high

Docs

Local Development

npm install
npm run typecheck
npm test
npm run lint
npm run build
node dist/cli.js demo

Design Principles

  • Local-first by default.
  • No paid API, no cloud dependency, no LLM calls in v0.1.
  • Deterministic attack scenarios with stable outputs.
  • Strict TypeScript and Zod schemas for every artifact.
  • Evidence artifacts that security teams can store, diff, and attach to PRs.

Status

0.1.0 is the first MVP. It focuses on deterministic local discovery, static cognitive lint, Unicode payload detection, attack harness simulation, policy gating, and report generation.