Reading the security score, grade, and level on a listing
Reading the security score, grade, and level on a listing
Every listing on ai-supply.store displays three security indicators on its Security tab. Understanding what they mean takes about two minutes — and it's worth it before you install anything into a production agent.
The three indicators
1. Score (0–100)
The score is a weighted aggregate of all scan layer results. Higher is better.
- Each of the nine scan layers contributes to the score.
- Critical findings subtract heavily; informational notes subtract minimally.
- A listing with zero findings scores 100.
- Dependency CVEs, even at LOW severity, subtract a small amount — so an actively maintained dependency set scores better than a stale one.
The score updates with every new version upload.
2. Grade (A / B / C / D)
| Grade | Score range | What it means |
|---|---|---|
| A | 90–100 | No significant findings. Install with full confidence. |
| B | 75–89 | Minor informational notes. Likely fine for most use cases. |
| C | 50–74 | Notable findings. Review the OWASP checklist before installing. |
| D | 0–49 | Significant risks. Treat with caution even if not QUARANTINED. |
Grade A listings with score ≥ 90 appear on the Most secure leaderboard at /leaderboards. For enterprise buyers and autonomous agents, this leaderboard is often the first filter.
3. Safety level (SAFE / REVIEW / QUARANTINE)
This is the actionable output:
SAFE
→ No action needed. Install with `npx ai-supply add <slug>`.
REVIEW
→ One or more scan layers raised a warning.
→ Buyers click "I understand the risks" to proceed.
→ Providers should review the flagged OWASP items and fix in the next version.
QUARANTINE
→ Blocked. The listing is not visible and cannot be installed.
→ Provider must fix the root cause and re-upload.
→ No buyer override is possible.
Where to find the Security tab
Open any listing at /listing/<slug> and click the Security tab. You'll see:
- The score badge + grade letter
- The safety level badge
- The OWASP-AI expandable checklist (LLM01–LLM10 + ML01–ML10)
- Per-engine findings (Opengrep, picklescan, Gitleaks, osv-scanner results)
- A version history of score changes
What to check as a buyer
For different listing kinds, focus on different OWASP items:
| Kind | Focus items |
|---|---|
| MCP server | LLM01 (prompt injection), LLM07 (insecure plugin), LLM08 (excessive agency) |
| AGENT | LLM08 (excessive agency), LLM02 (output handling), LLM05 (supply chain) |
| DATASET | LLM06 (info disclosure), ML04 (membership inference), ML02 (data poisoning) |
| PROMPT | LLM01 (prompt injection), LLM09 (overreliance) |
| MODEL | ML07 (transfer learning), ML03 (model inversion), ML10 (model poisoning) |
What to check as a provider
If your listing is in REVIEW:
- Go to the Security tab on your listing.
- Expand the OWASP checklist — flagged items show the specific finding.
- Fix the root cause (see what gets a listing quarantined and how to fix it).
- Upload a new version — the scanner re-runs automatically.
Comparing listings on security
Buyers can sort search results by security score:
GET /api/v1/listings?category=cybersecurity&sort=security_score&order=desc
Or browse the leaderboards for the highest-scoring listings across all categories. All of the top-ranked listings are free to install right now.