⚠️Install with caution. This skill has very few installs. Always review the source and verify it on clawhub.ai before installing. Community-built skills run with agent permissions — only install ones you trust.

🤖 Agent Frameworks

agent-bom vulnerability intelv0.88.5

Name: agent-bom vulnerability intel
Author: msaad00

agent-bom-vulnerability-intel

msaad00

Use agent-bom to check package, SBOM, inventory, and agent dependency exposure against OSV, GitHub Security Advisories, NVD, EPSS, and CISA KEV with explicit...

Download Package View on ClawHub

Installs (all time)

Installs (current)

Downloads

1.1K

Stars

CreatedApr 30, 2026

UpdatedJun 1, 2026

Install & Quick Start

Install via ClawdBot CLI:

clawdbot install msaad00/agent-bom-vulnerability-intel

Skill Package1 files

📋SKILL.mdmarkdown

Failed to load file.

Quality Score

C44/100

Grade Limited — based on market validation, documentation quality, package completeness, maintenance status, and authenticity signals.

Market Validation1/35

· 30 downloads (minimal demand)
· No tracked installs (may still have real users via manual install)

Documentation16/25

· SKILL.md present
· Detailed documentation (≥3000 chars)
· Detailed summary

Package Completeness6/15

· skillAssets present (0 files)

Security Analysis

💙 Low Risk

UNDOCUMENTED_EXTERNALlow

Calls external URL not in known-safe list

https://github.com/msaad00/agent-bom

KNOWN_EXTERNALlow

Uses known external API (expected, informational)

api.github.com

Audited May 1, 2026 · audit v1.0

💡

Usage Guide

Generated May 6, 2026

Security engineers and analysts handling vulnerability triageDevSecOps and DevOps engineers integrating security into CI/CDSoftware developers needing quick CVE lookups for dependenciesintermediate

💡 Application Scenarios

Open Source Dependency Vulnerability TriageSoftware Development / Cybersecurity

A security engineer receives alerts about critical CVEs in the project’s Python dependencies. Using agent-bom, they quickly run `check-package` for each affected package (e.g., flask==2.0.0) to fetch advisories from OSV, GHSA, NVD, EPSS, and CISA KEV, assess exploitability and fix versions, and decide on patch priority without leaving the terminal.

SBOM-Based Supply Chain Risk AssessmentSupply Chain Management / Cybersecurity

An organization receives a CycloneDX SBOM from a third-party vendor. The security team uses agent-bom's `scan-local` mode with the SBOM file to automatically enrich each component with vulnerability intelligence, filtering by CISA KEV and EPSS scores to identify actively exploited weaknesses before approving the vendor integration.

PR Gate for CI/CD PipelineDevOps / Software Development

A DevSecOps engineer integrates agent-bom into a CI/CD pipeline to generate a SARIF report for each pull request. The tool checks newly added packages against advisory databases, fails builds for CVEs with known exploits, and provides fix version recommendations, ensuring no vulnerable dependency is merged into production.

Offline Vulnerability Review for Sensitive PackagesFinance / Healthcare (highly regulated)

An internal tool uses custom-built packages with names that must not be exposed externally. The operator runs agent-bom in `offline-review` mode with a local cache of advisories, allowing the security team to check for known vulnerabilities without sending any package identifiers to external APIs, maintaining data confidentiality.

Agent-Based Inventory Vulnerability ScanningIT Operations / Cybersecurity

A DevOps team has a fleet of agents running on different servers. They use agent-bom's `agents` command with an inventory JSON to scan all installed packages across the infrastructure, collecting a unified findings report. This enables centralized vulnerability management and prioritization based on EPSS and KEV status.

💼 Business Models

Freemium CLI Tool with Optional API Key UpgradesSubscription fees from enterprise customers

The agent-bom skill is offered as a free, open-source CLI tool with unlimited public advisory lookups. Revenue is generated through an enterprise tier that provides persistent caching, private registry support, and dedicated support, charged via subscription.

Security Consulting and Integration ServicesConsulting fees and training contracts

Offer professional services to help organizations integrate agent-bom into their CI/CD pipelines, configure SBOM scanning, and establish vulnerability triage workflows. Revenue comes from hourly consulting, custom script development, and training workshops.

Managed Vulnerability Intelligence PlatformMonthly/yearly SaaS fees based on usage tiers

Build a cloud platform around agent-bom that aggregates findings from multiple agents, provides a dashboard for vulnerability prioritization, and generates compliance reports (e.g., for SOC 2, FedRAMP). Revenue is generated via SaaS subscriptions based on number of agents and scans.

💬 Integration Tip

To integrate agent-bom into a CI/CD pipeline, add a step that runs `agent-bom check` on the packages from your requirements file and outputs SARIF for automated PR comments.