Skip to main content

What Vulkro Labs checks

Free tools that vet what your AI pulls in.

Most of the risk in an AI-assisted project arrives from outside: the package your assistant hallucinated, the MCP server you installed on faith, the editor extension with too much access. Vulkro Labs is a set of free, open-source tools that vet what enters your project before it runs. The commercial scanner reviews the code you write; Labs guards the front door.

Free  ·  open source, MIT or Apache-2.0  ·  runs on your machine

$ curl -fsSL https://dist.vulkro.com/install-live.sh | bash

github.com/vulkro/vulkro-labs read every detector before you run it

Twelve free commands that vet what your AI pulls in: the packages it installs, the MCP servers and tools it trusts, the skills and memory it runs on, and the agent cards it talks to. All shipped. Pick one to jump to the detail.

How it works

Keyless, and it never leaves your machine.

Your AI suggests a package and you install it, sight unseen. Vulkro Labs puts one check in between: it looks the package up in the public registry and the malicious-package records, and tells you whether it is safe to add, before it ever enters your project.

Vulkro Labs ships as the vulkro-live CLI.

SafeYour AI suggests a packageVulkro Labs checks itknown-goodyou install itSafe to add.
RiskYour AI suggests a packageVulkro Labs checks itthe check finds itmalicious or hallucinatedCaught before it enters your project.

Same suggestion. The only difference is the one check that sits between the AI and your install command.

$ vulkro-live verify --manifest package.json
OK        express          real, established, not flagged
[CRITICAL] MALICIOUS  lodahs   flagged by OSV
[CRITICAL] MISSING    reqwest-helper   not in the registry
Keyless. Only public package metadata leaves your machine.

The same keyless lookup powers the risky, malicious, and hallucinated package checks, on the command line and in the browser. Only public package metadata leaves your machine. Your source never does.

Group 01 / The packages your AI suggests

Vet every package before it enters your project.

Give these a package name or point them at a manifest. Both run on your machine and send only public package metadata.

verify

Is a package safe? Catches hallucinated and slopsquatted names, known-malicious packages, look-alike typosquats, known CVEs, and suspiciously new or low-reputation packages. Covers npm, PyPI, and crates.io.

foresee

The predictive slopsquat map. Reads your real dependency stack, works out the plausible-but-absent names an AI is likely to invent for a project like yours, checks the registry, and writes a committable do-not-install guardrail.

Group 02 / The rest of the agent surface

The MCP servers, tools, skills, and memory your agent trusts.

Beyond packages, an AI agent trusts MCP servers, skills, stored memory, and other agents. The same keyless CLI vets all of them, keeps your clear-list in a committable trust store, and plugs into the agent itself as an MCP server.

warden

The MCP and agent-tool bouncer. Scans a third-party MCP server's tool descriptions (or a returned tool result) for prompt-injection, tool-poisoning, tool-shadowing, hidden unicode, exfiltration sinks, and risky capabilities.

inspect

Is this MCP server safe to add? Resolves the server, verifies the backing package, and gives a GREEN, REVIEW, or AVOID verdict before you add it.

audit

Audits your whole agent surface at once: every configured MCP server, plus the rules, skills, and instruction files an agent reads, plus network-reaching hooks.

skillscan

Scans the executable body of your skills, slash commands, and subagents (not just their prose) for the stealer behaviour a description hides.

memcheck

Scans an AI agent's stored long-term memory for poisoning: an injected fact that runs a command or steers every future session.

lock / drift

Catch an MCP rug pull. lock fingerprints the current tool manifest; drift reports a field-level diff: a tool that dropped readOnlyHint, a description that gained an injection phrase, an added or removed tool.

cardcheck

Vet an A2A agent card before your agent trusts a peer: identity and domain match, injection over every text field, confusable names, and an honest signature-presence report. It does not cryptographically verify signatures and never claims to.

trustdb

The shared trust store. Clear a package or server once and every Labs tool trusts that exact version until it changes. The decision lives in .vulkro/trust.toml, committed next to your code and reviewed like code.

mcp

The built-in MCP server. vulkro-live mcp exposes verify and warden to your AI agent over stdio, so the assistant can vet its own package suggestions and tool manifests in the loop, before acting on them.

One install ships the whole set. Every command is free, keyless, and runs on your machine. Every check takes --format sarif, so the same guardrails gate CI through GitHub Code Scanning.

The proof

Free, open source, and keyless.

No sign-up, no API key, and no backend to trust. The tools query free public feeds directly from your machine and send only public package metadata.

Open source under MIT or Apache-2.0 (the free tools, not the engine)
No account and no API key
Runs on your machine, nothing uploaded
Queries free public feeds directly

These free tools are open source under MIT or Apache-2.0. The Vulkro scanner engine is a separate, licensed product.

Free / Vulkro Labs

Vets what enters your project.

Packages, MCP servers, tools, skills, memory, agent cards: checked before they get in. Open source, keyless, on your machine.

Licensed / Vulkro engine

Analyzes the code you wrote.

Endpoints, cross-file taint, dependency CVEs, secrets, and the rest of the pre-deploy review live in the closed, licensed scanner. See what the engine checks →

The free tools vet what enters your project. Vulkro analyzes the code you write.