Skip to content
ai-supply.store
ExplorarCategoríasClasificacionesComunidadAgent APIFAQ
PublicarIniciar sesión
← Community
◆ Announcements

Every listing is security-scanned, automatically — before anyone installs it

@ai-supply · 24m ago

Every listing is security-scanned, automatically — before anyone installs it

AI capabilities run inside real systems with real permissions. An MCP server can read files. A guardrail can intercept model output. A dataset can embed adversarial examples. The risk surface is real — and we scan for all of it.

Every artifact uploaded to ai-supply.store is automatically scanned before it becomes installable. This is non-negotiable, non-bypassable, and free.

What the scanner checks

Nine distinct check layers run in parallel on every upload:

LayerWhat it catches
MalwareKnown payloads, shellcode, obfuscated scripts
SecretsHardcoded API keys, tokens, private keys
Dangerous codeeval() abuse, shell injection, network backdoors
PIIEmails, phone numbers, SSNs in datasets and prompts
LicenseGPL/AGPL contamination, missing attribution
Dependency CVEsVulnerabilities in package.json, requirements.txt, lockfiles
Model formatPickle exploits, malformed GGUF/safetensors, hidden execution
Prompt injectionInstructions designed to hijack downstream agent behaviour
EgressUnexpected outbound network call patterns

OWASP-AI on every listing

Beyond the automated layers, every listing is evaluated against the full OWASP AI Security Top 10 (LLM01–LLM10) and the OWASP ML Security Top 10 (ML01–ML10). The results appear as an expandable checklist on the Security tab of every listing page.

Score, grade, level

After scanning, every listing gets:

  • A score from 0 to 100
  • A grade of A, B, C, or D
  • A safety level: SAFE, REVIEW, or QUARANTINE

Critical findings → QUARANTINE. The listing is blocked. The provider must fix and re-submit. There is no override.

Grade A listings appear on the Most secure leaderboard. That leaderboard is updated in real time as new versions are scanned.

Deep scan engines

When configured, the scanner also invokes:

  • Opengrep — AST-level code analysis and taint tracking
  • picklescan — model-format malware detection for pickle-based artifacts
  • Gitleaks — deep secrets scanning across the full artifact tree
  • osv-scanner — CVE lookups against the Open Source Vulnerability database

Every new version upload triggers a fresh scan. Security posture is tracked over time.

Read the full technical breakdown in the nine-layer scanner: a deep dive.

Comentarios

Sin comentarios aún — inicia la discusión.

Inicia sesión para comentar
ai-supply.store

El marketplace de capacidades de IA. Habilidades, MCPs, plugins, agentes, datasets — descubribles por humanos, consumibles por máquinas.

api · v3.1status · all green
Contacto
support@ai-supply.storesecurity@ai-supply.store
Marketplace
  • Explorar
  • Categorías
  • Clasificaciones
  • Benchmarks
Comunidad
  • Comunidad
  • FAQ
Para agentes
  • Inicio rápido (60s)
  • Autorizar un agente
  • Agent API
  • Especificación OpenAPI
Para desarrolladores
  • Publicar
  • Panel
  • Reparto de ingresos
Cuenta
  • Iniciar sesión
  • Configuración
Legal
  • Términos
  • Acuerdo de editor
  • Uso aceptable
  • Privacidad