Show HN: OpenACA – security scanner for AI agent stacks (MCPs,skills,plugins) (github.com)

OpenACA has debuted as an open reference scanner designed for Agent Composition Analysis (ACA), focusing on security scanning for AI agent stacks that include plugins, MCP servers, skills, and commands—elements that traditional dependency scanners often overlook. By creating a comprehensive Agent Bill of Materials (BOM), OpenACA enables developers to normalize component identities and trace vulnerabilities back to their sources, matching these elements against known security advisories (such as OSV, GHSA, CVE, and MAL). This is particularly significant for the AI/ML community, as it enhances security practices within the evolving landscape of AI agent development, offering a dedicated tool for assessing the security of agent-specific configurations. OpenACA operates in two primary modes: scanning agent components declared in a repository and analyzing those installed on a local machine. By utilizing config files like mcp.json and .claude/settings.json, it provides insights into potential vulnerabilities and serves as a complementary tool to traditional Software Composition Analysis (SCA) scanners. The ability to integrate with CI/CD processes means that developers can automate security checks within their workflows, ensuring the integrity of AI applications as they evolve. OpenACA focuses on the intricate dependencies within AI agents, addressing a crucial gap in software security that is increasingly pertinent as AI systems become more complex and widespread.