OpenA2A: CLI · HackMyAgent · Secretless · AIM · Browser Guard · DVAA
Open-source security platform for AI agents. Installed as opena2a-cli on npm.
npx opena2a-cli review OpenA2A Security Review v0.8.21
Findings
-----------------------------------------------
Credential scan 3 hardcoded keys
Shadow AI 2 agents, 4 MCP servers
Config integrity unsigned
Governance no SOUL.md
-----------------------------------------------
Security Score 30 / 100 -> 85 by running opena2a protect
Run: opena2a protect (fix all findings)
Install globally if you prefer:
npm install -g opena2a-cli
brew tap opena2a-org/tap && brew install opena2aYou do not need this README. The CLI has built-in discovery:
opena2a ? # Contextual recommendations for your project
opena2a ~shadow ai # Semantic search across all commands
opena2a "find leaked credentials" # Natural language command matching
opena2a # Interactive guided wizard (no args)| Command | What it does |
|---|---|
opena2a review |
Full security dashboard — HTML report, 6-phase assessment |
opena2a detect |
Find shadow AI agents, MCP servers, AI configs. Governance score. |
opena2a protect |
Fix everything — credentials, .gitignore, config signing |
opena2a init |
Read-only security assessment with trust score |
opena2a identity create |
Cryptographic identity for your project |
opena2a harden-soul |
Generate SOUL.md governance rules |
opena2a scan |
204 security checks via HackMyAgent |
opena2a shield init |
Full security setup — all of the above, one command |
Full command reference: opena2a.org/docs
Each command routes to a specialized tool, installed on first use:
| Command | Tool | Description |
|---|---|---|
detect |
Shadow AI | Discover AI agents, MCP servers, AI configs |
identity |
AIM | Cryptographic identity, audit logs, trust scoring |
scan |
HackMyAgent | 204 security checks, 115 attack payloads, auto-fix |
scan-soul |
SOUL Scanner | 72 governance controls, 9 domains, 6 profiles |
harden-skill |
Skill Hardener | Frontmatter validation, permission scoping, integrity pinning |
secrets |
Secretless AI | Credential management for AI coding tools |
mcp |
MCP Security | Audit, sign, and verify MCP server configurations |
benchmark |
OASB | 222 attack scenarios, compliance scoring |
train |
DVAA | Vulnerable AI agent for security training |
create |
Skill Scaffolding | Secure skill templates with signing and heartbeat |
guard harden |
HackMyAgent | Scan skills for hardening issues, auto-fix |
- Developer using AI coding tools — 5 minutes
- Security team assessing AI risk — 10 minutes
- MCP server author — 15 minutes
- CI/CD pipeline integration
Full command reference, Shield subcommands, scope drift detection, behavioral governance, credential patterns, and CI/CD examples: opena2a.org/docs
- Node.js >= 18
- Optional: Docker (for
opena2a train)
Apache-2.0