About AgentScore
By Michael K Onyekwere
AgentScore is building the public security memory for MCP packages.
MCP adoption is accelerating across Claude, ChatGPT, VS Code, and Cursor. But most teams still lack a durable record of what MCP packages they install, what those packages expose, what changed between versions, and how maintainers responded when risk surfaced.
AgentScore closes that gap. We monitor 1,160 MCP packages on npm, keep scan history on every version, publish public advisories and repo dossiers, and provide a CI policy gate for teams that want an allow, warn, or block decision before merge.
Fresh scans can be copied. Time depth cannot. The moat is the historical record: what changed, when it changed, who responded, what got fixed, and how the ruleset improved after public correction.
What We Publish
Package reports
Scan any npm package and get a dated dossier: score, findings, publisher posture, capability surface, ruleset, scanner version, and the public correction path when the scanner is wrong.
Repo dossiers
Inspect a public GitHub repo and see every MCP package it installs, the aggregate capability surface that stack grants to an agent, and the policy verdict the CI gate would return.
Advisories and disclosures
1,160 packages monitored continuously. We publish score changes, capability drift, and disclosure-grade incidents with a timestamped evidence trail.
Precision lineage
The scanner changelog is public. False positives, mitigators, and maintainer feedback loops are visible so the ecosystem can audit how the ruleset improved over time.
Policy Gate
The gate is the enforcement layer, not the whole story. It consumes the same package intelligence in CI for teams that want merge-time allow, warn, or block decisions.
By The Numbers
What AgentScore Is Not
AgentScore is not a runtime sandbox, not a registry, and not an official vulnerability numbering authority. It is a public evidence layer: scans, dossiers, advisories, repo exposure, and maintainer response history. The value is that the evidence stays inspectable after the moment of discovery.
The policy gate matters because it operationalises that evidence in CI. But the intelligence layer comes first. If the ecosystem cannot read, cite, and challenge the underlying record, the gate has no authority worth adopting.
Why Now
npm supply-chain attacks are not hypothetical. On March 31, 2026, the axios package was compromised via a hijacked maintainer account. Any npx -y install would have pulled the malicious version with no warning. MCP servers deserve the same supply-chain scrutiny as any other dependency, with added attention to the capabilities they grant to an agent once installed.
The Company
AgentScore is built by Janus Compliance Limited, a UK company focused on AI assurance and supply-chain security.
Privacy
AgentScore collects the minimum personal data needed to make the service work. Most of the site can be used without giving us any personal data at all. The exceptions are watchlist subscriptions and the contact form, both opt-in.
Package watchlist
When you subscribe a package on any report page, we store your email address and the package name. The lawful basis is your consent under UK-GDPR Article 6(1)(a). We confirm that consent by sending you a one-time link to verify the address; we only email you alerts after you click it. Every alert contains a one-click unsubscribe link, no login required. We do not use watchlist emails for marketing and we do not share them. Records are retained until you unsubscribe or for 24 months of inactivity, whichever comes first. Email delivery is provided by Resend (data stored in the United States); data-protection requests go to security@agentscores.xyz.
Analytics
We use Vercel Web Analytics and an internal server-side page-view counter. Both are configured to avoid storing identifiable personal data: Vercel hashes IPs server-side, and our internal tracker hashes (IP, user-agent, accept-language) under a server-side salt before storing. The resulting fingerprint cannot be reversed to an individual.
Contact form
Submissions through /contact are stored so we can reply. Lawful basis: consent. Retention is tied to the lifecycle of the conversation; we delete on request.