npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

ai-trust

v0.2.4

Published

Trust verification CLI for AI packages — check MCP servers, A2A agents, and AI tools before you install

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

ecolibriaecolibria

Keywords

aitrustsecuritymcpa2asupply-chainclimodel-context-protocolai-agentopena2a

Readme

OpenA2A: CLI · HackMyAgent · Secretless · AIM · Browser Guard · DVAA · Registry (April 2026)

ai-trust

Trust verification CLI for AI packages. Queries the OpenA2A Registry trust graph for security scans, community consensus, dependency risk, and known advisories.

License npm version

Installation

brew install opena2a-org/tap/ai-trust

Or via npm:

npm install -g ai-trust

Or run directly with npx:

npx ai-trust check @modelcontextprotocol/server-filesystem

For a full security dashboard covering trust, credentials, shadow AI, and more:

npx opena2a-cli review

Quick Start

ai-trust check @modelcontextprotocol/server-filesystem

Expected output:

@modelcontextprotocol/server-filesystem
  Trust Level: 4 (Verified)
  Verdict:     safe
  Scanned:     2026-03-01
  Findings:    0 critical, 0 high, 2 medium

Built-in Help

ai-trust --help          # All commands and flags
ai-trust --version       # Current version
ai-trust [command] -h    # Help for a specific command

Commands

check

Look up the trust verdict for a single package.

ai-trust check @modelcontextprotocol/server-filesystem
ai-trust check my-agent --type a2a_agent
ai-trust check express --json              # JSON output for scripting

MCP Server Trust

MCP servers are the most common trust query. Use shorthand to skip the full package name:

# These are equivalent:
ai-trust check server-filesystem
ai-trust check @modelcontextprotocol/server-filesystem

# Other MCP servers:
ai-trust check mcp-server-fetch
ai-trust check server-github
ai-trust check server-postgres

Shorthand rules: server-* and mcp-server-* automatically resolve to @modelcontextprotocol/server-*.

Scan on demand

When a package is not in the registry, ai-trust can download and scan it locally using HackMyAgent. In interactive mode, you will be prompted. In CI, use flags:

# Auto-scan unknown packages, contribute results to the community registry
ai-trust check mcp-server-xyz --scan-if-missing --contribute

# Force re-scan even if registry data exists
ai-trust check server-filesystem --rescan

# Disable scanning entirely (registry lookup only)
ai-trust check server-filesystem --no-scan

audit

Parse dependency files and batch-query all dependencies. Supports any .json file (package.json format) or .txt file (requirements.txt format).

ai-trust audit package.json
ai-trust audit requirements.txt
ai-trust audit package.json --min-trust 2         # set minimum trust threshold (default: 3)
ai-trust audit package.json --scan-missing --contribute  # scan deps not in registry

batch

Look up trust verdicts for multiple packages at once.

ai-trust batch express lodash chalk commander
ai-trust batch my-server-a my-server-b --type mcp_server

Output Options

ai-trust check express --json          # JSON output for scripting
ai-trust audit package.json --json     # JSON audit output
ai-trust check express --no-color      # disable colored output
ai-trust check express --registry-url http://localhost:8080  # custom registry

Community Contribution

Every scan you run can improve trust data for the entire community. Scan results are shared as anonymized telemetry (check pass/fail and severity only -- no file paths, source code, or descriptions).

On first scan, ai-trust asks whether you want to contribute. Your choice is saved in ~/.opena2a/config.json and shared across all OpenA2A tools (opena2a-cli, hackmyagent).

# Contribute for this scan (non-interactive / CI)
ai-trust check chalk --rescan --contribute

# Configure globally via opena2a-cli
opena2a config set contribute true    # opt in
opena2a config set contribute false   # opt out

The more scans contributed, the faster packages move from "Listed" to "Scanned" trust level, reducing risk for everyone.

Trust Levels

| Level | Label | Description | |-------|-------|-------------| | 0 | Blocked | Package is blocked due to security concerns | | 1 | Warning | Package has known issues | | 2 | Listed | Package is listed but not yet scanned | | 3 | Scanned | Package has been scanned by HackMyAgent | | 4 | Verified | Package is verified by the publisher |

Exit Codes

| Code | Meaning | |------|---------| | 0 | All queried packages are safe / meet the trust threshold | | 1 | Operational error (network failure, file not found, server error) | | 2 | Policy signal: one or more packages have warning/blocked verdict or fall below --min-trust |

Requirements

  • Node.js 18 or later
  • HackMyAgent (optional, required for local scanning)

Development

git clone https://github.com/opena2a-org/ai-trust.git
cd ai-trust && npm install && npm run build
node dist/index.js check express    # run locally without installing

Use Cases

Step-by-step guides for common workflows:

See docs/USE-CASES.md for the full index.

Links

License

Apache-2.0