tanav.aiScanResearchARDGet Started
Open appTry free scan →
Use Case

Agentic Resource Discovery (ARD) Trust Layer

A brand-new discovery spec just told you, in writing, that its own relevance score isn't a trust signal.

HIGH
The spec's own conformance fixture ships an A2A agent, an MCP server, and a tool — none with a trustManifest
ards-project/ard-spec · CHK-154 · AI confirmed
4
real catalogs found missing trustManifest entirely
7
invocable entries flagged (CHK-154)
0
other scanners check ARD catalogs at all
How it works
01
Connect your GitHub org
OAuth in 30 seconds. AISS discovers every MCP server, skill file, hook, and agent config across all repos.
02
22 modules scan in parallel
CVE lookup, secret scanning, auth checking, tool description analysis, skill file parsing — all concurrent, all hand-written.
03
LLM verifies high-severity
Critical and high findings go to an LLM verifier before reporting. No false positives reach your CISO.
04
Gate, alert, or export
Block in CI via SARIF. Send to SIEM via NDJSON. Export CycloneDX SBOM. Enforce allowlist/blocklist policy.
Press coverage
VentureBeat
Anthropic Skill scanners passed every check. The malicious code rode in on a test file.
VentureBeat
No publicly documented scanner operates outside the assumption that the threat lives in SKILL.md.
CrowdStrike · RSAC 2026
ClawHavoc — 1,184 malicious skills confirmed in the wild. The attack surface is the skill layer.