HackerTrans
TopNewTrendsCommentsPastAskShowJobs

vinodkone

no profile record

Submissions

AI agent security needs a composition graph, not just an SBOM

openaca.dev
5 points·by vinodkone·18일 전·0 comments

Show HN: OpenACA – security scanner for AI agent stacks (MCPs,skills,plugins)

github.com
2 points·by vinodkone·26일 전·3 comments

comments

vinodkone
·18일 전·discuss
[flagged]
vinodkone
·25일 전·discuss
Thanks. Here are the answers to your questions.

Security rules: There are 2 kinds of rules we check. One is checking for security advisories for components by looking up centralized a CVE database (osv.dev). This requires an API call. The other type of check we do is for "posture" (e.g., using http instead of https, using unpinned versions). This is completely local an doesnt require an API call.

Enforcement: Currently, the scanner works in informational mode, even in Claude Code. It shows you scan findings but doesn't block any tool calls or skill invocations. This is on our roadmap.

False positives: One of the things OpenACA does differently from the other skill/mcp scanners out there is that it doesn't run its own detection algorithm based on contents, which is a major source of false positives. Instead OpenACA extracts the stable ID of the component and looks up an advisory database like osv.dev which has known confirmed vulnerabilities.
vinodkone
·26일 전·discuss
[flagged]