tanav.aiScanResearchARDGet Started
Open appTry free scan →
Checkers / CHK-154
CHK-154
MEDIUM – HIGH

Invocable ARD catalog entry published with no trustManifest

category: ard_trust · source: services/scanner/ard_catalog_scanner.py
OWASP MCP Top 10MCP-T09Supply Chain Compromise

What it detects

An entry inside an ai-catalog.json manifest (Agentic Resource Discovery spec v0.9 — Google/Microsoft/Hugging Face, May 28 2026) that advertises a directly invocable capability — an MCP server, an A2A agent, or a registry — with no trustManifest object at all.

This isn't a hypothetical gap: the ARD spec itself states in section 7.2 that a registry's relevance score 'MUST NOT be interpreted as a cryptographic trust, compliance, or safety rating.' trustManifest is the spec's only verification hook, and it's explicitly optional on every entry. An orchestrator discovering an entry through search has zero verifiable signal before connecting to it unless the publisher chose to add one.

Severity is HIGH for directly-invocable types (mcp-server-card, a2a-agent-card — these run code or call APIs the moment they're connected) and MEDIUM for ai-registry entries, which are themselves only a discovery layer rather than something directly invoked.

Real example

ards-project/ard-specofficial ARD spec repoCONFIRMED

The spec's own conformance test fixture (conformance/examples/ai-catalog.json) ships three entries — an A2A agent, an MCP server, and a tool — none carrying a trustManifest. Confirmed by direct fetch and hand-traced against the checker logic. The same gap was independently found in several real early-adopter catalogs discovered five days post-launch — not named individually here pending the same disclosure-first review every other finding on this page went through.

How to fix it

Add a trustManifest object with at minimum a verifiable identity

A minimal trustManifest needs only an identity field — a DID, a SPIFFE ID, or simply the publisher's own HTTPS domain — so an orchestrator has something concrete to check before connecting. Tanav's own catalog at tanav.ai/.well-known/ai-catalog.json is published with exactly this minimal form, deliberately avoiding an incomplete did:web document just to look more sophisticated than it is.

// Before — no trustManifest at all:
{
  "identifier": "urn:air:acme.com:server:files",
  "type": "application/mcp-server-card+json"
}

// After:
{
  "identifier": "urn:air:acme.com:server:files",
  "type": "application/mcp-server-card+json",
  "trustManifest": { "identity": "https://acme.com" }
}
Reference →