Identity Resolution
Identify everything — even the unnamed
Resolve npx one-liners, unpinned installs, and components with no package coordinates into stable, matchable identities.
Open Agent Composition Analysis
Your dependency scanner can't see your agent stack.
OpenACA resolves plugins, MCP servers, skills, hooks, and dependencies into a composition graph, then matches them against known security records. Run your first scan locally in under a minute.
$ curl -fsSL https://openaca.dev/install.sh | sh openaca scan endpoint composition + findings
$ openaca scan endpoint
Claude Code · ~/.claude · 2 plugins · 9 components
claude-plugin/[email protected]
mcp servers
@cyanheads/[email protected] ⚠
skills
brainstorming · pdf-tools
claude-plugin/[email protected]
mcp servers
[email protected]
── findings (1) ──────────────────
HIGH GHSA-3q26-f695-pp76 command injection
component @cyanheads/[email protected]
via plugin superpowers
fix upgrade to ≥ 2.1.5 osv.devWorks with
Claude CodeClaude pluginsMCP serversSkillsHooksOSV
Built for review
Open sourceRuns locallyNo MCP executionCycloneDX Agent BOMCLI + GitHub Action
Composition Graph
See your whole agent stack
Map the structure: host → plugin → MCP server, skill, hook, dependency. Your Agent BOM.
Risk Attribution
Trace every risk to its source
Not "package X is vulnerable" — "X is here because plugin Y bundles it." Know what to remove or fix.
Advisory Intelligence
Know what's vulnerable
Match components against OSV / GHSA / CVE / MAL, enriched with agent-specific context.
Browse advisory context →Local
Scan your stack
Developers run the open-source scanner on their endpoint or in a repo.
CI
Gate shared configs
Check agent manifests before plugins, skills, and MCP servers spread.
Cloud
Manage the team view
Security and platform leaders see every agent stack across the org.
Learn about Cloud →OpenACA Cloud for teams
See every developer's agent stack in one place.
The open-source scanner gives one developer a local answer. Cloud turns those Agent BOMs into team-wide inventory, drift, findings, and policy state.
InventoryPlugins, MCPs, skills, hooks DriftWhat changed since last scan FindingsAttribution across endpoints PolicyTeam rules, not laptop by laptop
Try it on your own stack
Scan an agent stack in under a minute.
Start with the local CLI. When your team needs a shared view across endpoints, OpenACA Cloud rolls Agent BOMs into one dashboard.
$ curl -fsSL https://openaca.dev/install.sh | sh