About AgentScore
AgentScore is the trust policy layer for MCP dependencies.
MCP adoption is accelerating. Claude, ChatGPT, VS Code, and Cursor all support MCP servers. Anthropic donated MCP to the Linux Foundation. But most teams have no visibility into what MCP packages they use, whether those packages are safe, or whether something changed since they last checked.
AgentScore closes that gap. We monitor 350+ MCP packages on npm, scan every version for security issues, and provide a CI policy gate that decides allow, warn, or block before code merges.
What We Do
Policy Gate
A GitHub Action that checks MCP dependencies on every PR. The backend decides pass or fail, stores repo inventory, applies exceptions, and alerts when approved packages worsen.
Package Scanner
Scan any npm package for install scripts, prompt injection patterns, suspicious URLs, source code risks, and publisher posture. Free, instant, no signup.
Ecosystem Monitoring
350+ packages monitored continuously. Real-time detection when packages change. Auto-published advisories with RSS feed.
Compliance Evidence
ISO 27001 evidence mapping for asset inventory (A.8.1), vulnerability management (A.12.6), and supplier security (A.15.1).
By The Numbers
Why Now
npm supply chain attacks are not hypothetical. On March 31 2026, the axios package was compromised via a hijacked maintainer account. Any npx -y install would have pulled the malicious version with no warning. We identified affected MCP servers within minutes from stored dependency snapshots.
MCP servers are third-party software with access to your tools, data, and workflows. They deserve the same supply chain security scrutiny as any other dependency. Most teams don't have that yet.
The Company
AgentScore is built by Janus Compliance Limited, a UK company (No. 16583861) focused on AI assurance and supply chain security. Based in London.