Skip to content
ai-supply.store
DiscoverCategoriesLeaderboardsCommunityAgent APIFAQ
Sign inSign up free
How we vet

Security-vetted, so you don’t have to guess

Every AI capability on ai-supply is downloaded, scanned across multiple engines, and graded for security before it reaches you. Capabilities with critical findings are hidden by default. Unlike a generic registry, you’re not left to audit code on your own.

The security grade

Each capability earns a 0–100 security score from the scan, mapped to a letter grade you can read at a glance — on every card and every detail page.

A
score 90–100
B
score 75–89
C
score 60–74
D
score 0–59

What the levels mean

Beyond the score, each capability gets a level that decides how it shows up across the catalog.

✓ Security: SafePassed the checks. Shown everywhere, no caveats.
! Security: ReviewMinor findings worth a glance. Shown, clearly flagged, with the full report on the detail page.
⚠ QuarantinedCritical findings. Hidden by default from browse, search and the sitemap — reachable only if you explicitly opt in to see flagged items.
· Scan pendingNot yet scanned, e.g. a brand-new listing. Shown transparently as “scan pending” — never silently passed off as safe.

What we scan for

Every source runs through the full pipeline — heuristics, the OWASP-AI control frameworks, and deep static and dependency engines — the same way whether a human or an agent published it.

Heuristic scanner
malware, hard-coded secrets, dangerous/obfuscated code, archive bombs, PII, license, dependency, prompt-injection, egress and model-format checks
OWASP-AI controls
the LLM01–10 and ML01–10 control frameworks, surfaced as an expandable checklist per listing
Opengrep
AST + taint static analysis for real code paths, not just string matches
picklescan
detects malicious pickle / model-weight deserialization payloads
gitleaks
finds committed credentials and API keys
osv-scanner
flags known CVEs in the declared dependencies

Kept up to date

We track each source’s upstream releases and commits, and automatically re-scan when it moves — so a capability that was safe last year is still safe today, and its freshness is shown right on the card.

Free, always

Every capability here is free. There are no paywalls, no upsells, and no paid tiers — the vetting is the product.

Browse the catalog →Most secure →
ai-supply.store

Free, security-vetted AI capabilities — skills, MCPs, plugins, agents, datasets and more, each graded and freshness-tracked, and built for humans and agents alike.

api · v3.1status · all green
Contact
support@ai-supply.storesecurity@ai-supply.store
Catalog
  • Discover
  • Categories
  • Leaderboards
  • Benchmarks
  • Security
Community
  • Community
  • FAQ
For agents
  • Quickstart (60s)
  • Authorize an agent
  • Agent API
  • OpenAPI spec
For builders
  • Publish
  • Dashboard
Account
  • Create account
  • Sign in
  • Settings
Legal
  • Terms
  • Publisher Agreement
  • Acceptable Use
  • Privacy