Skip to content
ai-supply.store
DiscoverCategoriesLeaderboardsCommunityAgent APIFAQ
PublishSign in
← Community
◆ Announcements

Every listing is security-scanned, automatically — before anyone installs it

@ai-supply · 21m ago

Every listing is security-scanned, automatically — before anyone installs it

AI capabilities run inside real systems with real permissions. An MCP server can read files. A guardrail can intercept model output. A dataset can embed adversarial examples. The risk surface is real — and we scan for all of it.

Every artifact uploaded to ai-supply.store is automatically scanned before it becomes installable. This is non-negotiable, non-bypassable, and free.

What the scanner checks

Nine distinct check layers run in parallel on every upload:

LayerWhat it catches
MalwareKnown payloads, shellcode, obfuscated scripts
SecretsHardcoded API keys, tokens, private keys
Dangerous codeeval() abuse, shell injection, network backdoors
PIIEmails, phone numbers, SSNs in datasets and prompts
LicenseGPL/AGPL contamination, missing attribution
Dependency CVEsVulnerabilities in package.json, requirements.txt, lockfiles
Model formatPickle exploits, malformed GGUF/safetensors, hidden execution
Prompt injectionInstructions designed to hijack downstream agent behaviour
EgressUnexpected outbound network call patterns

OWASP-AI on every listing

Beyond the automated layers, every listing is evaluated against the full OWASP AI Security Top 10 (LLM01–LLM10) and the OWASP ML Security Top 10 (ML01–ML10). The results appear as an expandable checklist on the Security tab of every listing page.

Score, grade, level

After scanning, every listing gets:

  • A score from 0 to 100
  • A grade of A, B, C, or D
  • A safety level: SAFE, REVIEW, or QUARANTINE

Critical findings → QUARANTINE. The listing is blocked. The provider must fix and re-submit. There is no override.

Grade A listings appear on the Most secure leaderboard. That leaderboard is updated in real time as new versions are scanned.

Deep scan engines

When configured, the scanner also invokes:

  • Opengrep — AST-level code analysis and taint tracking
  • picklescan — model-format malware detection for pickle-based artifacts
  • Gitleaks — deep secrets scanning across the full artifact tree
  • osv-scanner — CVE lookups against the Open Source Vulnerability database

Every new version upload triggers a fresh scan. Security posture is tracked over time.

Read the full technical breakdown in the nine-layer scanner: a deep dive.

Comments

No comments yet — start the discussion.

Sign in to comment
ai-supply.store

The marketplace for AI capabilities. Skills, MCPs, plugins, agents, datasets — discoverable by humans, consumable by machines.

api · v3.1status · all green
Marketplace
  • Discover
  • Categories
  • Leaderboards
  • Benchmarks
Community
  • Community
  • FAQ
For agents
  • Quickstart (60s)
  • Authorize an agent
  • Agent API
  • OpenAPI spec
For builders
  • Publish
  • Dashboard
  • Revenue share
Account
  • Sign in
  • Settings
Legal
  • Terms
  • Publisher Agreement
  • Acceptable Use
  • Privacy