ai-bom-mcp

v1.2.12 suspicious
4.0
Medium Risk

AI Bill of Materials (AI-BOM) generator + auditor MCP — CycloneDX ML-BOM, SPDX 3.0 AI profile, EU AI Act Annex IV mapping, NIST AI RMF alignment, US EO 14028 federal procurement. By MEOK AI Labs.

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package ai-bom-mcp has low risks in terms of network, shell execution, and obfuscation. However, the metadata risk score of 6 suggests potential issues with the package's activity level and maintainer credibility, warranting further investigation.

  • Metadata risk score of 6 indicating potential low activity and lack of maintainer credibility
  • No immediate signs of malicious activities like network calls, shell execution, or obfuscation
Per-check LLM notes
  • Network: No network calls detected, which is normal if the package does not require internet access.
  • Shell: No shell execution detected, indicating the package does not execute external commands.
  • Obfuscation: No obfuscation patterns detected, indicating low risk of malicious obfuscation.
  • Credentials: No credential harvesting patterns detected, indicating low risk of malicious credential theft.
  • Metadata: The package shows signs of potential low activity and lack of maintainer credibility.

📦 Package Quality Overall: Medium (5.4/10)

✦ High Test Suite 9.0

Test suite present — 3 test file(s) found

  • Test runner config found: conftest.py
  • 3 test file(s) detected (e.g. test_server.py)
◈ Medium Documentation 5.0

Some documentation present

  • Detailed PyPI description (2381 chars)
○ Low Contributing Guide 2.0

No contributing guide or governance files found

  • No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found
◈ Medium Type Annotations 5.0

Partial type annotation coverage

  • 17 type-annotated function signatures detected in source
◈ Medium Multiple Contributors 6.0

Limited contributor diversity

  • 2 unique contributor(s) across 39 commits in CSOAI-ORG/ai-bom-mcp
  • Two distinct contributors found

🔬 Heuristic Checks

Outbound Network Calls

No suspicious network call patterns found

Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution

No shell execution patterns detected

Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: meok.ai>

Suspicious Page Links

All external links appear legitimate

Git Repository History score 2.5

Git history flags: Repository has zero stars and zero forks

  • Repository has zero stars and zero forks
Maintainer History score 4.0

2 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with ai-bom-mcp 
Develop a comprehensive mini-application named 'AI Compliance Auditor' using the Python package 'ai-bom-mcp'. This application will serve as a tool for organizations to generate and audit their AI Bill of Materials (AI-BOM), ensuring compliance with various international standards and regulations. Here are the detailed steps and features for building this application:

1. **Project Setup**: Initialize your project with a virtual environment and install the 'ai-bom-mcp' package along with any necessary dependencies.

2. **User Interface**: Design a user-friendly interface where users can input details about their AI projects, including but not limited to, project names, descriptions, technology stacks used, data sources, and third-party services.

3. **AI-BOM Generation**: Utilize the 'ai-bom-mcp' package to automatically generate an AI-BOM based on the user inputs. The BOM should include components such as software libraries, models, datasets, and other relevant elements specific to AI projects.

4. **Compliance Checks**: Implement functionality within the application to check the generated AI-BOM against different compliance frameworks supported by 'ai-bom-mcp', such as CycloneDX ML-BOM, SPDX 3.0 AI profile, EU AI Act Annex IV mapping, NIST AI RMF alignment, and US EO 14028 federal procurement.

5. **Reporting**: Develop a reporting feature that provides detailed insights into the compliance status of the AI project. The report should highlight areas of compliance and potential non-compliance, offering recommendations for improvement.

6. **Audit Trail**: Maintain an audit trail of all actions taken within the application, including changes made to the AI-BOM and compliance checks performed. This feature ensures transparency and accountability.

7. **Customization**: Allow users to customize the compliance checks based on their specific needs and regulatory requirements. Users should be able to select which frameworks they want to apply to their projects.

8. **Integration**: Explore opportunities to integrate the application with existing CI/CD pipelines or project management tools, making it easier for teams to manage compliance throughout the development lifecycle.

By leveraging the 'ai-bom-mcp' package, your application will provide a powerful solution for managing and ensuring compliance in AI projects, thereby helping organizations navigate the complex landscape of AI regulations.