Agent package risk radar

Agent package risk radar.

A public, opt-in growth surface for agent package trust: radar cards, decision paths, launch copy and safety rules without unsolicited repo promotion.

Radar cards: 9
Review gates: 9
GitHub spam: 0
Machine report: /agent-risk-radar.json

Decision

The growth mechanism

Why now

Agents make install decisions

Agents increasingly turn package metadata, README text, model cards and MCP server configs into execution decisions.

Moat

Decision layer, not another scanner

Nipmod already spans npm, PyPI, GitHub, Hugging Face, Docker, Open VSX and MCP at the decision layer.

Top card

MCP server credential scope

MCP metadata is public, but tool scope and credential exposure still need a downstream trust decision.

Cards

Public radar cards

MCP

MCP server credential scope

Review required for agent use. This is a metadata and execution-boundary card, not an accusation.

MCP metadata is public, but tool scope and credential exposure still need a downstream trust decision.

Verdict review, risk 88/100, attention 96/100.

Decision path: /api/decision?q=MCP%20server%20with%20filesystem%20and%20token%20tools&sources=mcp&limit=5

radar-94421adb

npm

npm lifecycle execution

Review required before install. The card describes an execution surface, not a malware verdict.

Install-time hooks are one of the easiest ways for a package to execute before an agent has reviewed the code.

Verdict review, risk 86/100, attention 94/100.

Decision path: /api/decision?q=npm%20package%20with%20preinstall%20script&sources=npm&limit=5

radar-040a3a2b

npm

npm identity spoofing

Review the identity binding. Similar names and copied metadata require human or host confirmation.

Typosquatting works because agents often trust names, versions and copied repository URLs too early.

Verdict review, risk 82/100, attention 91/100.

Decision path: /api/decision?q=OpenSearch%20JavaScript%20client%20npm%20package&sources=npm&limit=5

radar-0c5b2b40

PyPI

PyPI provenance freshness

Review package provenance before agent execution. Popularity is not execution permission.

Agent installs need provenance and maintainer continuity, not popularity alone.

Verdict review, risk 68/100, attention 81/100.

Decision path: /api/decision?q=Python%20HTTP%20client%20package&sources=pypi&limit=5

radar-5f562049

Hugging Face model

HF model remote code

Review required for model loading. This is not a model quality score or safety guarantee.

Model selection is now package selection: loaders, custom code and weights need the same preflight receipt.

Verdict review, risk 74/100, attention 84/100.

Decision path: /api/decision?q=Hugging%20Face%20model%20requiring%20remote%20code&sources=huggingface-model&limit=5

radar-a5f851cf

Hugging Face dataset

HF dataset loader scripts

Review required before automated dataset loading. The radar does not judge dataset content quality.

Datasets are not passive files when the loading path executes scripts or fetches additional resources.

Verdict review, risk 63/100, attention 78/100.

Decision path: /api/decision?q=Hugging%20Face%20dataset%20with%20loading%20script&sources=huggingface-dataset&limit=5

radar-cf1c16f3

GitHub

GitHub metadata instructions

Review repository instructions before execution. Nipmod does not post unsolicited issues or comments.

Repositories increasingly include agent-facing instructions, but README text is not a host policy.

Verdict review, risk 71/100, attention 83/100.

Decision path: /api/decision?q=GitHub%20repository%20with%20install%20instructions%20for%20agents&sources=github&limit=5

radar-defb70d3

Docker Hub

Docker runtime boundary

Review required before runtime. A pullable image is not permission to run it.

Agent tool recommendations often cross from package metadata into container runtime permissions.

Verdict review, risk 69/100, attention 76/100.

Decision path: /api/decision?q=Docker%20image%20for%20agent%20tool%20runtime&sources=dockerhub&limit=5

radar-6c4f8c4f

Open VSX

Open VSX extension permissions

Review extension permissions before enabling. The card is a preflight checklist, not an endorsement.

Agent tooling often enters through editor extensions, where installation creates a long-lived local execution surface.

Verdict review, risk 66/100, attention 72/100.

Decision path: /api/decision?q=VS%20Code%20extension%20for%20AI%20coding%20workflow&sources=openvsx&limit=5

radar-277a5eb5

Launch loop

What to do next

Day 0

Publish radar page, JSON report and launch playbook.

/agent-risk-radar and /agent-risk-radar.json

Page live, report fetchable, no unsafe claims in copy.

Day 1

Post one neutral thread: why autonomous agents need package decision receipts before install.

Owned social post linked to radar JSON and proof pages.

Inbound scans, bookmarks and replies from agent builders.

Day 2

Invite five MCP or agent-tool maintainers to opt in to a card, badge or GitHub Action preview.

Manual, relevant outreach only.

Opt-in replies and first badge candidates.

Day 3

Turn the highest-interest radar card into a deeper positive case study.

No public shaming; include owner correction path.

Case study shares, API beta key requests and partner leads.

No spam

Rules that protect the trust claim

Do not post unsolicited GitHub issues, comments, reviews or PRs to promote Nipmod.

Opt-in GitHub Action, maintainer-requested checks and owner-controlled badges.

Do not publish a worst-packages or unsafe-maintainers leaderboard.

Use review queues, evidence gaps and positive agent-ready cards.

Do not label packages or maintainers malicious without public advisory-grade evidence.

Say review required, insufficient evidence or execution surface present unless an advisory proves more.

Do not evade rate limits, scrape private data or rotate accounts.

Use official APIs, rate limits, public metadata and cached snapshots.

Do not downgrade a package because its maintainer has not adopted Nipmod.

Make Nipmod badges opt-in and never treat absence of Nipmod as a negative trust signal.

Distribution

Channels

Nipmod owned surfaces

Primary launch surface and proof anchor

owned_surface: Publish /agent-risk-radar and /agent-risk-radar.json, then pin the risk radar in /llms.txt for agent ingestion.

GitHub opt-in receipts

Workflow adoption without unsolicited repo contact

opt_in_only: Invite maintainers to add an opt-in badge or GitHub Action only inside repositories they control.

Hugging Face Space

Community demo and lightweight distribution

owned_surface: Ship a read-only Gradio Space wrapper after the radar page is live, using the same JSON report and no arbitrary package scanning.

Manual researcher outreach

High-signal awareness with no bulk messaging

manual_curated_outreach: Send a short manual note to security researchers and MCP registry builders with the radar link and methodology.

Copy

Launch post kit

Owned social

launch post

Autonomous agents should not install packages from a README, model card or registry result alone. We shipped the Nipmod Agent Package Risk Radar: 9 review cards for MCP, npm, PyPI, GitHub, Hugging Face, Docker and Open VSX, with machine-readable decision paths and a strict no-spam policy. https://nipmod.com/agent-risk-radar

Maintainer challenge

agent ready challenge

Maintainers: if your package, MCP server, model or extension should be agent-ready, the next useful artifact is not another badge claim. It is a reviewable decision receipt: identity, source evidence, install boundary, runtime boundary and owner-controlled correction path.

Trust policy

trust policy

Nipmod will not contact repositories with unsolicited warnings or promotion. The public radar is opt-in, evidence-based and designed to make safe agent package decisions easier without shaming maintainers.

Machine

Agent-readable report

Radar JSON

/agent-risk-radar.json

Use this as the source for agents, Spaces and opt-in GitHub workflows.

Decision API

/api/decision

Requires a Nipmod API key and still performs no hosted install, clone or runtime execution.

Source quality

/source-quality

Shows source depth and benchmark gates behind the radar.

Proof

/proof

Read the evidence boundaries before stronger public claims.

Research

External context

GitHub Acceptable Use Policies

https://docs.github.com/en/site-policy/acceptable-use-policies/github-acceptable-use-policies

Bulk promotional comments or issues would conflict with platform policy and Nipmod's trust positioning.

MCP Registry trust and security

https://modelcontextprotocol.io/registry/about

The official MCP registry is metadata-first and explicitly leaves additional security checks to downstream aggregators.

GitHub Dependency Review

https://docs.github.com/en/code-security/concepts/supply-chain-security/about-dependency-review

Dependency review is already a normalized developer workflow; Nipmod should complement it with pre-install agent decision receipts.

OpenSSF Scorecard Action

https://github.com/ossf/scorecard-action

OpenSSF Scorecard shows badges and GitHub Actions can scale when maintainers opt in.

Hugging Face Leaderboards and Evaluations

https://huggingface.co/docs/leaderboards/index

Community leaderboards and Spaces are established distribution patterns, but should wrap a native Nipmod report rather than replace it.

Microsoft Security: typosquatted npm packages

https://www.microsoft.com/en-us/security/blog/2026/05/28/typosquatted-npm-packages-used-steal-cloud-ci-cd-secrets/

Recent npm typosquat campaigns used install hooks and credential theft, which makes agent pre-install review immediately legible.

Machine report Source quality Benchmark