Identity Resolution
Identify everything — even the unnamed
Resolve npx one-liners, unpinned installs, and components with no package coordinates into stable, matchable identities.
Supply-chain security for AI agents
Open Agent Composition Analysis
Your dependency scanner can't see your agent stack. OpenACA resolves plugins, MCP servers, skills, hooks, and dependencies into a composition graph, then matches them against known security records. Run it locally or as a CI gate.
$ curl -fsSL https://openaca.dev/install.sh | sh openaca scan endpoint composition + findings
$ openaca scan endpoint
Claude Code · ~/.claude · 2 plugins · 9 components
claude-plugin/[email protected]
mcp servers
@cyanheads/[email protected] ⚠
skills
brainstorming · pdf-tools
claude-plugin/[email protected]
mcp servers
[email protected]
── findings (1) ──────────────────
HIGH GHSA-3q26-f695-pp76 command injection
component @cyanheads/[email protected]
via plugin superpowers
fix upgrade to ≥ 2.1.5 osv.devComposition Graph
See your whole agent stack
Map the structure: host → plugin → MCP server, skill, hook, dependency. Your Agent BOM.
Risk Attribution
Trace every risk to its source
Not "package X is vulnerable" — "X is here because plugin Y bundles it." Know what to remove or fix.
Advisory Intelligence
Know what's vulnerable
Match components against OSV / GHSA / CVE / MAL, enriched with agent-specific context.
Browse advisory context →