diff --git a/data/reports/helix-pilot.json b/data/reports/helix-pilot.json new file mode 100644 index 000000000..02b62430a --- /dev/null +++ b/data/reports/helix-pilot.json @@ -0,0 +1,119 @@ +{ + "tool_id": "helix-pilot", + "version": "2.0.0", + "grade": "B", + "risk_score": 17, + "scan_date": "2026-05-29T18:40:23.715466Z", + "scanner": "tooltrust-scanner/v0.3.12", + "source_url": "https://github.com/tsunamayo7/helix-pilot", + "category": "Scan Request", + "vendor": "tsunamayo7", + "stars": 4, + "license": "MIT", + "language": "Python", + "description": "GUI automation MCP server powered by local Vision LLM (Ollama). Control your Windows desktop from Claude Code, Codex CLI, and other MCP clients.", + "findings": [ + { + "id": "AS-002", + "severity": "High", + "title": "Excessive Permission Surface", + "description": "tool declares exec permission", + "recommendation": "Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.", + "tool_name": "find" + }, + { + "id": "AS-011", + "severity": "Low", + "title": "DoS Resilience — Missing Rate Limit / Timeout", + "description": "tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration", + "recommendation": "Declare explicit rate-limit, timeout, and retry configuration for all network and execution tools. Implement exponential back-off and surface resource state to the calling agent.", + "tool_name": "find" + }, + { + "id": "AS-002", + "severity": "High", + "title": "Excessive Permission Surface", + "description": "tool declares exec permission", + "recommendation": "Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.", + "tool_name": "auto" + }, + { + "id": "AS-011", + "severity": "Low", + "title": "DoS Resilience — Missing Rate Limit / Timeout", + "description": "tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration", + "recommendation": "Declare explicit rate-limit, timeout, and retry configuration for all network and execution tools. Implement exponential back-off and surface resource state to the calling agent.", + "tool_name": "auto" + }, + { + "id": "AS-002", + "severity": "High", + "title": "Excessive Permission Surface", + "description": "tool declares exec permission", + "recommendation": "Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.", + "tool_name": "browse" + }, + { + "id": "AS-011", + "severity": "Low", + "title": "DoS Resilience — Missing Rate Limit / Timeout", + "description": "tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration", + "recommendation": "Declare explicit rate-limit, timeout, and retry configuration for all network and execution tools. Implement exponential back-off and surface resource state to the calling agent.", + "tool_name": "browse" + }, + { + "id": "AS-002", + "severity": "Medium", + "title": "Excessive Permission Surface", + "description": "tool declares fs permission", + "recommendation": "Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.", + "tool_name": "resize_image" + }, + { + "id": "AS-002", + "severity": "High", + "title": "Excessive Permission Surface", + "description": "tool declares exec permission", + "recommendation": "Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.", + "tool_name": "spawn_pilot_agent" + }, + { + "id": "AS-011", + "severity": "Low", + "title": "DoS Resilience — Missing Rate Limit / Timeout", + "description": "tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration", + "recommendation": "Declare explicit rate-limit, timeout, and retry configuration for all network and execution tools. Implement exponential back-off and surface resource state to the calling agent.", + "tool_name": "spawn_pilot_agent" + } + ], + "summary": { + "critical": 0, + "high": 4, + "medium": 1, + "low": 4, + "info": 0 + }, + "methodology": "https://github.com/AgentSafe-AI/tooltrust-directory/blob/main/docs/methodology.md", + "tool_names": [ + "auto", + "browse", + "click", + "click_screenshot", + "close_pilot_agent", + "describe", + "find", + "hotkey", + "list_pilot_agents", + "list_windows", + "resize_image", + "screenshot", + "scroll", + "send_pilot_agent_input", + "spawn_pilot_agent", + "status", + "type_text", + "verify", + "wait_pilot_agent", + "wait_stable" + ] +} \ No newline at end of file diff --git a/data/reports/james-bf0v-imprint-intelligence.json b/data/reports/james-bf0v-imprint-intelligence.json deleted file mode 100644 index a914002ab..000000000 --- a/data/reports/james-bf0v-imprint-intelligence.json +++ /dev/null @@ -1,197 +0,0 @@ -{ - "tool_id": "james-bf0v-imprint-intelligence", - "version": "smithery", - "grade": "B", - "risk_score": 17, - "scan_date": "2026-05-25T02:48:26.063143429Z", - "scanner": "tooltrust-scanner/v0.3.12", - "source_url": "https://smithery.ai/server/james-bf0v/imprint-intelligence", - "vendor": "Smithery", - "description": "Agent-callable creator-audience intelligence. 952+ scored YouTube creators across 180 niches. Search, niche landscapes, deep profiles, brand-creator ranking. Free tier requires no key.\n\nImprint scores creators across six axes (Voice, Audience, Product, Partnership, Risk, Reach), maps niches into landscapes, and ranks creators against brand briefs. The same data that powers byimprint.com/intelligence reports is reachable from Claude, ChatGPT, Cursor, and any MCP-aware client through one install.\n\nPricing: Free (100 calls/day) · Indie $49/mo (5K calls) · Agency $499/mo (50K calls + 5 brand-creator ranks/mo, $99/call after) · Pay-per-call ($99/rank, $5/map-synthesize).\n\nOpen-source client: github.com/byimprint/mcp-server (MIT). npm: @byimprint/mcp-server.", - "findings": [ - { - "id": "AS-002", - "severity": "High", - "title": "Excessive Permission Surface", - "description": "tool declares network permission", - "recommendation": "Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.", - "tool_name": "imprint-search" - }, - { - "id": "AS-011", - "severity": "Low", - "title": "DoS Resilience — Missing Rate Limit / Timeout", - "description": "tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration", - "recommendation": "Declare explicit rate-limit, timeout, and retry configuration for all network and execution tools. Implement exponential back-off and surface resource state to the calling agent.", - "tool_name": "imprint-search" - }, - { - "id": "AS-014", - "severity": "Info", - "title": "DEPENDENCY_INVENTORY_UNAVAILABLE", - "description": "Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited.", - "recommendation": "Review and remediate the identified issue.", - "tool_name": "imprint-search" - }, - { - "id": "AS-014", - "severity": "Info", - "title": "DEPENDENCY_INVENTORY_UNAVAILABLE", - "description": "Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited.", - "recommendation": "Review and remediate the identified issue.", - "tool_name": "imprint-grep" - }, - { - "id": "AS-002", - "severity": "Low", - "title": "Excessive Permission Surface", - "description": "input schema exposes 12 properties (threshold: 10)", - "recommendation": "Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.", - "tool_name": "imprint-filter" - }, - { - "id": "AS-014", - "severity": "Info", - "title": "DEPENDENCY_INVENTORY_UNAVAILABLE", - "description": "Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited.", - "recommendation": "Review and remediate the identified issue.", - "tool_name": "imprint-filter" - }, - { - "id": "AS-014", - "severity": "Info", - "title": "DEPENDENCY_INVENTORY_UNAVAILABLE", - "description": "Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited.", - "recommendation": "Review and remediate the identified issue.", - "tool_name": "imprint-map" - }, - { - "id": "AS-014", - "severity": "Info", - "title": "DEPENDENCY_INVENTORY_UNAVAILABLE", - "description": "Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited.", - "recommendation": "Review and remediate the identified issue.", - "tool_name": "imprint-profile" - }, - { - "id": "AS-014", - "severity": "Info", - "title": "DEPENDENCY_INVENTORY_UNAVAILABLE", - "description": "Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited.", - "recommendation": "Review and remediate the identified issue.", - "tool_name": "imprint-niche" - }, - { - "id": "AS-002", - "severity": "Low", - "title": "Excessive Permission Surface", - "description": "input schema exposes 11 properties (threshold: 10)", - "recommendation": "Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.", - "tool_name": "imprint-rank-creators-for-brand" - }, - { - "id": "AS-014", - "severity": "Info", - "title": "DEPENDENCY_INVENTORY_UNAVAILABLE", - "description": "Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited.", - "recommendation": "Review and remediate the identified issue.", - "tool_name": "imprint-rank-creators-for-brand" - } - ], - "summary": { - "critical": 0, - "high": 1, - "medium": 0, - "low": 3, - "info": 7 - }, - "methodology": "https://github.com/AgentSafe-AI/tooltrust-directory/blob/main/docs/methodology.md", - "tool_names": [ - "imprint-filter", - "imprint-grep", - "imprint-map", - "imprint-niche", - "imprint-profile", - "imprint-rank-creators-for-brand", - "imprint-search" - ], - "tool_contexts": [ - { - "tool_name": "imprint-search", - "action": "ALLOW", - "grade": "B", - "behavior": [ - "executes_commands", - "uses_network" - ], - "dependency_visibility": "No dependency data", - "dependency_note": "No metadata.dependencies or repo_url were exposed by this MCP server." - }, - { - "tool_name": "imprint-grep", - "action": "ALLOW", - "grade": "A", - "dependency_visibility": "No dependency data", - "dependency_note": "No metadata.dependencies or repo_url were exposed by this MCP server." - }, - { - "tool_name": "imprint-filter", - "action": "ALLOW", - "grade": "A", - "dependency_visibility": "No dependency data", - "dependency_note": "No metadata.dependencies or repo_url were exposed by this MCP server." - }, - { - "tool_name": "imprint-map", - "action": "ALLOW", - "grade": "A", - "destinations": [ - "dynamic email recipient (maxCreators)" - ], - "dependency_visibility": "No dependency data", - "dependency_note": "No metadata.dependencies or repo_url were exposed by this MCP server." - }, - { - "tool_name": "imprint-profile", - "action": "ALLOW", - "grade": "A", - "dependency_visibility": "No dependency data", - "dependency_note": "No metadata.dependencies or repo_url were exposed by this MCP server." - }, - { - "tool_name": "imprint-niche", - "action": "ALLOW", - "grade": "A", - "destinations": [ - "dynamic email recipient (includeCreators)" - ], - "dependency_visibility": "No dependency data", - "dependency_note": "No metadata.dependencies or repo_url were exposed by this MCP server." - }, - { - "tool_name": "imprint-rank-creators-for-brand", - "action": "ALLOW", - "grade": "A", - "destinations": [ - "dynamic email recipient (maxCreators)", - "dynamic email recipient (targetCustomer)" - ], - "dependency_visibility": "No dependency data", - "dependency_note": "No metadata.dependencies or repo_url were exposed by this MCP server." - } - ], - "scan_history": [ - { - "scan_date": "2026-05-23T02:21:49Z", - "grade": "B", - "risk_score": 17, - "version": "smithery" - }, - { - "scan_date": "2026-05-24T02:40:58Z", - "grade": "B", - "risk_score": 17, - "version": "smithery" - } - ] -} \ No newline at end of file diff --git a/data/static-tools/helix-pilot.json b/data/static-tools/helix-pilot.json new file mode 100644 index 000000000..e6458a195 --- /dev/null +++ b/data/static-tools/helix-pilot.json @@ -0,0 +1,254 @@ +{ + "tools": [ + { + "name": "screenshot", + "description": "Capture a screenshot of the screen or a specific window.", + "metadata": {"repo_url": "https://github.com/tsunamayo7/helix-pilot", "dependencies": [{"name": "fastmcp", "version": ">=2.0.0", "ecosystem": "PyPI"}, {"name": "httpx", "version": ">=0.27.0", "ecosystem": "PyPI"}, {"name": "numpy", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pillow", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pyautogui", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pygetwindow", "version": "unknown", "ecosystem": "PyPI"}]}, + "inputSchema": { + "type": "object", + "properties": { + "window": { "type": "string", "description": "Target window title. Empty captures the full screen." }, + "name": { "type": "string", "description": "Filename stem for the saved screenshot." } + } + } + }, + { + "name": "click", + "description": "Click at screen coordinates.", + "metadata": {"repo_url": "https://github.com/tsunamayo7/helix-pilot", "dependencies": [{"name": "fastmcp", "version": ">=2.0.0", "ecosystem": "PyPI"}, {"name": "httpx", "version": ">=0.27.0", "ecosystem": "PyPI"}, {"name": "numpy", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pillow", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pyautogui", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pygetwindow", "version": "unknown", "ecosystem": "PyPI"}]}, + "inputSchema": { + "type": "object", + "properties": { + "x": { "type": "integer", "description": "X coordinate in pixels." }, + "y": { "type": "integer", "description": "Y coordinate in pixels." }, + "window": { "type": "string", "description": "Target window title to activate first." }, + "button": { "type": "string", "description": "Mouse button: left, right, or middle." }, + "double": { "type": "boolean", "description": "Perform a double-click when true." } + }, + "required": ["x", "y"] + } + }, + { + "name": "type_text", + "description": "Type text into the focused window or a specific window.", + "metadata": {"repo_url": "https://github.com/tsunamayo7/helix-pilot", "dependencies": [{"name": "fastmcp", "version": ">=2.0.0", "ecosystem": "PyPI"}, {"name": "httpx", "version": ">=0.27.0", "ecosystem": "PyPI"}, {"name": "numpy", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pillow", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pyautogui", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pygetwindow", "version": "unknown", "ecosystem": "PyPI"}]}, + "inputSchema": { + "type": "object", + "properties": { + "text": { "type": "string", "description": "Text to type. Supports Unicode." }, + "window": { "type": "string", "description": "Target window title to activate first." } + }, + "required": ["text"] + } + }, + { + "name": "hotkey", + "description": "Send a keyboard shortcut.", + "metadata": {"repo_url": "https://github.com/tsunamayo7/helix-pilot", "dependencies": [{"name": "fastmcp", "version": ">=2.0.0", "ecosystem": "PyPI"}, {"name": "httpx", "version": ">=0.27.0", "ecosystem": "PyPI"}, {"name": "numpy", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pillow", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pyautogui", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pygetwindow", "version": "unknown", "ecosystem": "PyPI"}]}, + "inputSchema": { + "type": "object", + "properties": { + "keys": { "type": "string", "description": "Key combination, e.g. ctrl+c, alt+tab, ctrl+shift+s." }, + "window": { "type": "string", "description": "Target window title to activate first." } + }, + "required": ["keys"] + } + }, + { + "name": "scroll", + "description": "Scroll the mouse wheel.", + "metadata": {"repo_url": "https://github.com/tsunamayo7/helix-pilot", "dependencies": [{"name": "fastmcp", "version": ">=2.0.0", "ecosystem": "PyPI"}, {"name": "httpx", "version": ">=0.27.0", "ecosystem": "PyPI"}, {"name": "numpy", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pillow", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pyautogui", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pygetwindow", "version": "unknown", "ecosystem": "PyPI"}]}, + "inputSchema": { + "type": "object", + "properties": { + "amount": { "type": "integer", "description": "Scroll amount. Positive is up, negative is down." }, + "window": { "type": "string", "description": "Target window title to activate first." } + }, + "required": ["amount"] + } + }, + { + "name": "describe", + "description": "Describe current screen content using a local Ollama Vision LLM.", + "metadata": {"repo_url": "https://github.com/tsunamayo7/helix-pilot", "dependencies": [{"name": "fastmcp", "version": ">=2.0.0", "ecosystem": "PyPI"}, {"name": "httpx", "version": ">=0.27.0", "ecosystem": "PyPI"}, {"name": "numpy", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pillow", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pyautogui", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pygetwindow", "version": "unknown", "ecosystem": "PyPI"}]}, + "inputSchema": { + "type": "object", + "properties": { + "window": { "type": "string", "description": "Target window title. Empty captures the full screen." } + } + } + }, + { + "name": "find", + "description": "Find a UI element on screen by description using a local Vision LLM and return pixel coordinates.", + "metadata": {"repo_url": "https://github.com/tsunamayo7/helix-pilot", "dependencies": [{"name": "fastmcp", "version": ">=2.0.0", "ecosystem": "PyPI"}, {"name": "httpx", "version": ">=0.27.0", "ecosystem": "PyPI"}, {"name": "numpy", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pillow", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pyautogui", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pygetwindow", "version": "unknown", "ecosystem": "PyPI"}]}, + "inputSchema": { + "type": "object", + "properties": { + "description": { "type": "string", "description": "Natural-language description of the element to find." }, + "window": { "type": "string", "description": "Target window title. Empty captures the full screen." }, + "refine": { "type": "boolean", "description": "Perform a second pass for higher accuracy." } + }, + "required": ["description"] + } + }, + { + "name": "verify", + "description": "Verify that the screen matches an expected state using a local Vision LLM.", + "metadata": {"repo_url": "https://github.com/tsunamayo7/helix-pilot", "dependencies": [{"name": "fastmcp", "version": ">=2.0.0", "ecosystem": "PyPI"}, {"name": "httpx", "version": ">=0.27.0", "ecosystem": "PyPI"}, {"name": "numpy", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pillow", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pyautogui", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pygetwindow", "version": "unknown", "ecosystem": "PyPI"}]}, + "inputSchema": { + "type": "object", + "properties": { + "expected": { "type": "string", "description": "Description of the expected screen state." }, + "window": { "type": "string", "description": "Target window title. Empty captures the full screen." } + }, + "required": ["expected"] + } + }, + { + "name": "status", + "description": "Check helix-pilot system status, including Ollama connection, available Vision models, screen resolution, and visible windows.", + "metadata": {"repo_url": "https://github.com/tsunamayo7/helix-pilot", "dependencies": [{"name": "fastmcp", "version": ">=2.0.0", "ecosystem": "PyPI"}, {"name": "httpx", "version": ">=0.27.0", "ecosystem": "PyPI"}, {"name": "numpy", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pillow", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pyautogui", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pygetwindow", "version": "unknown", "ecosystem": "PyPI"}]}, + "inputSchema": { "type": "object", "properties": {} } + }, + { + "name": "list_windows", + "description": "List all visible windows on the desktop with titles, positions, and sizes.", + "metadata": {"repo_url": "https://github.com/tsunamayo7/helix-pilot", "dependencies": [{"name": "fastmcp", "version": ">=2.0.0", "ecosystem": "PyPI"}, {"name": "httpx", "version": ">=0.27.0", "ecosystem": "PyPI"}, {"name": "numpy", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pillow", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pyautogui", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pygetwindow", "version": "unknown", "ecosystem": "PyPI"}]}, + "inputSchema": { "type": "object", "properties": {} } + }, + { + "name": "wait_stable", + "description": "Wait until the screen content stabilizes by repeatedly capturing screenshots.", + "metadata": {"repo_url": "https://github.com/tsunamayo7/helix-pilot", "dependencies": [{"name": "fastmcp", "version": ">=2.0.0", "ecosystem": "PyPI"}, {"name": "httpx", "version": ">=0.27.0", "ecosystem": "PyPI"}, {"name": "numpy", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pillow", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pyautogui", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pygetwindow", "version": "unknown", "ecosystem": "PyPI"}]}, + "inputSchema": { + "type": "object", + "properties": { + "timeout": { "type": "integer", "description": "Maximum wait time in seconds." }, + "window": { "type": "string", "description": "Target window title. Empty captures the full screen." } + } + } + }, + { + "name": "auto", + "description": "Execute an autonomous GUI task using Vision LLM. The model analyzes the screen and performs a sequence of GUI operations.", + "metadata": {"repo_url": "https://github.com/tsunamayo7/helix-pilot", "dependencies": [{"name": "fastmcp", "version": ">=2.0.0", "ecosystem": "PyPI"}, {"name": "httpx", "version": ">=0.27.0", "ecosystem": "PyPI"}, {"name": "numpy", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pillow", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pyautogui", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pygetwindow", "version": "unknown", "ecosystem": "PyPI"}]}, + "inputSchema": { + "type": "object", + "properties": { + "instruction": { "type": "string", "description": "Task to perform, such as opening an app and typing text." }, + "window": { "type": "string", "description": "Target window title." }, + "dry_run": { "type": "boolean", "description": "Plan actions without executing them." } + }, + "required": ["instruction"] + } + }, + { + "name": "browse", + "description": "Execute a browser automation task using Vision LLM, including navigation, clicks, forms, and information extraction.", + "metadata": {"repo_url": "https://github.com/tsunamayo7/helix-pilot", "dependencies": [{"name": "fastmcp", "version": ">=2.0.0", "ecosystem": "PyPI"}, {"name": "httpx", "version": ">=0.27.0", "ecosystem": "PyPI"}, {"name": "numpy", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pillow", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pyautogui", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pygetwindow", "version": "unknown", "ecosystem": "PyPI"}]}, + "inputSchema": { + "type": "object", + "properties": { + "instruction": { "type": "string", "description": "Task to perform in the browser." }, + "window": { "type": "string", "description": "Browser window title." }, + "dry_run": { "type": "boolean", "description": "Plan actions without executing them." } + }, + "required": ["instruction"] + } + }, + { + "name": "click_screenshot", + "description": "Click at coordinates and immediately take a screenshot.", + "metadata": {"repo_url": "https://github.com/tsunamayo7/helix-pilot", "dependencies": [{"name": "fastmcp", "version": ">=2.0.0", "ecosystem": "PyPI"}, {"name": "httpx", "version": ">=0.27.0", "ecosystem": "PyPI"}, {"name": "numpy", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pillow", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pyautogui", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pygetwindow", "version": "unknown", "ecosystem": "PyPI"}]}, + "inputSchema": { + "type": "object", + "properties": { + "x": { "type": "integer", "description": "X coordinate in pixels." }, + "y": { "type": "integer", "description": "Y coordinate in pixels." }, + "window": { "type": "string", "description": "Target window title." }, + "button": { "type": "string", "description": "Mouse button: left, right, or middle." }, + "double": { "type": "boolean", "description": "Perform a double-click when true." }, + "name": { "type": "string", "description": "Filename stem for the screenshot." }, + "delay": { "type": "number", "description": "Seconds to wait between click and screenshot." } + }, + "required": ["x", "y"] + } + }, + { + "name": "resize_image", + "description": "Resize an image to fit within a maximum dimension.", + "metadata": {"repo_url": "https://github.com/tsunamayo7/helix-pilot", "dependencies": [{"name": "fastmcp", "version": ">=2.0.0", "ecosystem": "PyPI"}, {"name": "httpx", "version": ">=0.27.0", "ecosystem": "PyPI"}, {"name": "numpy", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pillow", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pyautogui", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pygetwindow", "version": "unknown", "ecosystem": "PyPI"}]}, + "inputSchema": { + "type": "object", + "properties": { + "path": { "type": "string", "description": "Source image file path." }, + "max_dim": { "type": "integer", "description": "Maximum dimension in pixels." }, + "output": { "type": "string", "description": "Output path. Empty appends a preview suffix." } + }, + "required": ["path"] + } + }, + { + "name": "spawn_pilot_agent", + "description": "Start a background helix-pilot agent for auto or browse GUI workflows.", + "metadata": {"repo_url": "https://github.com/tsunamayo7/helix-pilot", "dependencies": [{"name": "fastmcp", "version": ">=2.0.0", "ecosystem": "PyPI"}, {"name": "httpx", "version": ">=0.27.0", "ecosystem": "PyPI"}, {"name": "numpy", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pillow", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pyautogui", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pygetwindow", "version": "unknown", "ecosystem": "PyPI"}]}, + "inputSchema": { + "type": "object", + "properties": { + "instruction": { "type": "string", "description": "Initial GUI task instruction." }, + "description": { "type": "string", "description": "Human-readable agent description." }, + "agent_type": { "type": "string", "description": "Agent role: default, explorer, or worker." }, + "task_mode": { "type": "string", "description": "Task mode: auto or browse." }, + "window": { "type": "string", "description": "Target window title." }, + "dry_run": { "type": "boolean", "description": "Plan actions without executing them." } + }, + "required": ["instruction"] + } + }, + { + "name": "send_pilot_agent_input", + "description": "Continue an existing helix-pilot GUI agent with a follow-up instruction.", + "metadata": {"repo_url": "https://github.com/tsunamayo7/helix-pilot", "dependencies": [{"name": "fastmcp", "version": ">=2.0.0", "ecosystem": "PyPI"}, {"name": "httpx", "version": ">=0.27.0", "ecosystem": "PyPI"}, {"name": "numpy", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pillow", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pyautogui", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pygetwindow", "version": "unknown", "ecosystem": "PyPI"}]}, + "inputSchema": { + "type": "object", + "properties": { + "agent_id": { "type": "string", "description": "Tracked agent identifier." }, + "instruction": { "type": "string", "description": "Follow-up GUI task instruction." } + }, + "required": ["agent_id", "instruction"] + } + }, + { + "name": "wait_pilot_agent", + "description": "Wait for a background helix-pilot agent to finish its current turn.", + "metadata": {"repo_url": "https://github.com/tsunamayo7/helix-pilot", "dependencies": [{"name": "fastmcp", "version": ">=2.0.0", "ecosystem": "PyPI"}, {"name": "httpx", "version": ">=0.27.0", "ecosystem": "PyPI"}, {"name": "numpy", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pillow", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pyautogui", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pygetwindow", "version": "unknown", "ecosystem": "PyPI"}]}, + "inputSchema": { + "type": "object", + "properties": { + "agent_id": { "type": "string", "description": "Tracked agent identifier." }, + "timeout": { "type": "integer", "description": "Maximum wait time in seconds." } + }, + "required": ["agent_id"] + } + }, + { + "name": "list_pilot_agents", + "description": "List all tracked helix-pilot background GUI agents.", + "metadata": {"repo_url": "https://github.com/tsunamayo7/helix-pilot", "dependencies": [{"name": "fastmcp", "version": ">=2.0.0", "ecosystem": "PyPI"}, {"name": "httpx", "version": ">=0.27.0", "ecosystem": "PyPI"}, {"name": "numpy", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pillow", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pyautogui", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pygetwindow", "version": "unknown", "ecosystem": "PyPI"}]}, + "inputSchema": { "type": "object", "properties": {} } + }, + { + "name": "close_pilot_agent", + "description": "Close an idle helix-pilot GUI agent and keep its last known result.", + "metadata": {"repo_url": "https://github.com/tsunamayo7/helix-pilot", "dependencies": [{"name": "fastmcp", "version": ">=2.0.0", "ecosystem": "PyPI"}, {"name": "httpx", "version": ">=0.27.0", "ecosystem": "PyPI"}, {"name": "numpy", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pillow", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pyautogui", "version": "unknown", "ecosystem": "PyPI"}, {"name": "pygetwindow", "version": "unknown", "ecosystem": "PyPI"}]}, + "inputSchema": { + "type": "object", + "properties": { + "agent_id": { "type": "string", "description": "Tracked agent identifier." } + }, + "required": ["agent_id"] + } + } + ] +} diff --git a/docs/full-directory.md b/docs/full-directory.md index 69c8afd36..4f99972f5 100644 --- a/docs/full-directory.md +++ b/docs/full-directory.md @@ -377,6 +377,7 @@ All 1189 audited tools. [← Back to README](../README.md#-security-registry) | [dazeb-markdown-downloader](https://github.com/dazeb/markdown-downloader) | `1.0.0` | 15/mo | **[C](tools/dazeb-markdown-downloader.md)** | 🔑 `AS-002` ×10, ⚡ `AS-011` ×5, `AS-014` ×5 | May 17 | | [nginx-ui](https://github.com/0xJacky/nginx-ui) | `2.3.11` | 15/mo | **[I](tools/nginx-ui.md)** | `AS-018` | May 29 | | [streen9-react-mcp](https://github.com/kalivaraprasad-gonapa/react-mcp) | `0.1.0` | 13/mo | **[C](tools/streen9-react-mcp.md)** | `AS-012`, 🔑 `AS-002` ×8, ⚡ `AS-011` ×5, `AS-014` ×16, 📐 `AS-003` | May 17 | +| [helix-pilot](https://github.com/tsunamayo7/helix-pilot) | `2.0.0` | 4 | **[B](tools/helix-pilot.md)** | 🔑 `AS-002` ×5, ⚡ `AS-011` ×4 | May 29 | | [rahular101-test-101](https://smithery.ai/server/rahular101/test-101) | `smithery` | — | **[A](tools/rahular101-test-101.md)** | `AS-014` ×3 | May 29 | | [aitutor3-calculator-mcp-test](https://smithery.ai/server/AITutor3/calculator-mcp-test) | `smithery` | — | **[A](tools/aitutor3-calculator-mcp-test.md)** | `AS-014` ×4 | May 29 | | [maxsambento-morfex](https://smithery.ai/server/maxsambento/morfex) | `smithery` | — | **[A](tools/maxsambento-morfex.md)** | `AS-014` ×4 | May 29 | @@ -609,7 +610,6 @@ All 1189 audited tools. [← Back to README](../README.md#-security-registry) | [arizeai-docs](https://smithery.ai/server/ArizeAI/docs) | `smithery` | — | **[B](tools/arizeai-docs.md)** | 🔑 `AS-002`, ⚡ `AS-011`, `AS-014` | May 25 | | [node2flow-instagram](https://smithery.ai/server/node2flow/instagram) | `smithery` | — | **[B](tools/node2flow-instagram.md)** | 🔑 `AS-002` ×12, `AS-014` ×22, ⚡ `AS-011` ×9 | Apr 19 | | [vdineshk-sg-workpass-compass-mcp](https://smithery.ai/server/vdineshk/sg-workpass-compass-mcp) | `smithery` | — | **[B](tools/vdineshk-sg-workpass-compass-mcp.md)** | 🔑 `AS-002`, ⚡ `AS-011`, `AS-014` ×4 | May 21 | -| [james-bf0v-imprint-intelligence](https://smithery.ai/server/james-bf0v/imprint-intelligence) | `smithery` | — | **[B](tools/james-bf0v-imprint-intelligence.md)** | 🔑 `AS-002` ×3, ⚡ `AS-011`, `AS-014` ×7 | May 25 | | [nefesh-ai-human-state](https://smithery.ai/server/nefesh-ai/human-state) | `smithery` | — | **[B](tools/nefesh-ai-human-state.md)** | `AS-014` ×6, 🔑 `AS-002` ×4, ⚡ `AS-011` ×2 | May 27 | | [ghostrouter-ghostrouter-web](https://smithery.ai/server/ghostrouter/ghostrouter-web) | `smithery` | — | **[B](tools/ghostrouter-ghostrouter-web.md)** | 🔑 `AS-002` ×2, ⚡ `AS-011` ×2, `AS-014` ×2 | May 18 | | [kuibin-dev-hsk-mcp](https://smithery.ai/server/kuibin-dev/hsk-mcp) | `smithery` | — | **[B](tools/kuibin-dev-hsk-mcp.md)** | `AS-014` ×13, 🔑 `AS-002`, ⚡ `AS-011` | May 29 | @@ -1271,4 +1271,3 @@ All 1189 audited tools. [← Back to README](../README.md#-security-registry) | [ta-mcp-technical-analysis-mcp](https://smithery.ai/server/ta-mcp/technical-analysis-mcp) | `smithery` | — | **[F](tools/ta-mcp-technical-analysis-mcp.md)** | 🔑 `AS-002` ×25, ⚡ `AS-011` ×8, `AS-014` ×11, ⚡ `AS-006` ×2 | May 19 | | [composio-rube](https://smithery.ai/server/Composio/Rube) | `smithery` | — | **[F](tools/composio-rube.md)** | 🔑 `AS-002` ×26, ⚡ `AS-011` ×9, `AS-014` ×11, ⚡ `AS-006` ×3 | Apr 3 | | [powerly-powerly](https://smithery.ai/server/powerly/powerly) | `smithery` | — | **[F](tools/powerly-powerly.md)** | `AS-014` ×7, 🔑 `AS-002` ×5, 🗝️ `AS-010` ×9, ⚡ `AS-011` ×3 | Apr 19 | - diff --git a/docs/tools/helix-pilot.md b/docs/tools/helix-pilot.md new file mode 100644 index 000000000..9cbcd9268 --- /dev/null +++ b/docs/tools/helix-pilot.md @@ -0,0 +1,139 @@ +# 🟡 helix-pilot + +> GUI automation MCP server powered by local Vision LLM (Ollama). Control your Windows desktop from Claude Code, Codex CLI, and other MCP clients. + +| Field | Value | +|-------|-------| +| **Grade** | **B** | +| **Risk Score** | 17 | +| **Version** | `2.0.0` | +| **Vendor** | tsunamayo7 | +| **Stars** | ⭐ 4 | +| **Language** | Python | +| **Source** | [helix-pilot](https://github.com/tsunamayo7/helix-pilot) | +| **Scan Date** | 2026-05-29 | +| **Scanner** | tooltrust-scanner/v0.3.12 | + +--- + +## Findings Summary + +| Severity | Count | +|----------|:-----:| +| Critical | 0 | +| High | 4 | +| Medium | 1 | +| Low | 4 | +| Info | 0 | + +## Detailed Findings + +### 🟠 🔑 `AS-002` — Excessive Permission Surface + +**Severity:** High + +**Description:** +tool declares exec permission + +**Recommendation:** +Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories. + +--- + +### 🔵 ⚡ `AS-011` — DoS Resilience — Missing Rate Limit / Timeout + +**Severity:** Low + +**Description:** +tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration + +**Recommendation:** +Declare explicit rate-limit, timeout, and retry configuration for all network and execution tools. Implement exponential back-off and surface resource state to the calling agent. + +--- + +### 🟠 🔑 `AS-002` — Excessive Permission Surface + +**Severity:** High + +**Description:** +tool declares exec permission + +**Recommendation:** +Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories. + +--- + +### 🔵 ⚡ `AS-011` — DoS Resilience — Missing Rate Limit / Timeout + +**Severity:** Low + +**Description:** +tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration + +**Recommendation:** +Declare explicit rate-limit, timeout, and retry configuration for all network and execution tools. Implement exponential back-off and surface resource state to the calling agent. + +--- + +### 🟠 🔑 `AS-002` — Excessive Permission Surface + +**Severity:** High + +**Description:** +tool declares exec permission + +**Recommendation:** +Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories. + +--- + +### 🔵 ⚡ `AS-011` — DoS Resilience — Missing Rate Limit / Timeout + +**Severity:** Low + +**Description:** +tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration + +**Recommendation:** +Declare explicit rate-limit, timeout, and retry configuration for all network and execution tools. Implement exponential back-off and surface resource state to the calling agent. + +--- + +### 🟡 🔑 `AS-002` — Excessive Permission Surface + +**Severity:** Medium + +**Description:** +tool declares fs permission + +**Recommendation:** +Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories. + +--- + +### 🟠 🔑 `AS-002` — Excessive Permission Surface + +**Severity:** High + +**Description:** +tool declares exec permission + +**Recommendation:** +Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories. + +--- + +### 🔵 ⚡ `AS-011` — DoS Resilience — Missing Rate Limit / Timeout + +**Severity:** Low + +**Description:** +tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration + +**Recommendation:** +Declare explicit rate-limit, timeout, and retry configuration for all network and execution tools. Implement exponential back-off and surface resource state to the calling agent. + +--- + +*Scored using [ToolTrust methodology](../methodology.md) · [Raw JSON report](../../data/reports/helix-pilot.json)* diff --git a/docs/tools/james-bf0v-imprint-intelligence.md b/docs/tools/james-bf0v-imprint-intelligence.md deleted file mode 100644 index 078389ee3..000000000 --- a/docs/tools/james-bf0v-imprint-intelligence.md +++ /dev/null @@ -1,167 +0,0 @@ -# 🟡 james-bf0v-imprint-intelligence - -> Agent-callable creator-audience intelligence. 952+ scored YouTube creators across 180 niches. Search, niche landscapes, deep profiles, brand-creator ranking. Free tier requires no key. - -Imprint scores creators across six axes (Voice, Audience, Product, Partnership, Risk, Reach), maps niches into landscapes, and ranks creators against brand briefs. The same data that powers byimprint.com/intelligence reports is reachable from Claude, ChatGPT, Cursor, and any MCP-aware client through one install. - -Pricing: Free (100 calls/day) · Indie $49/mo (5K calls) · Agency $499/mo (50K calls + 5 brand-creator ranks/mo, $99/call after) · Pay-per-call ($99/rank, $5/map-synthesize). - -Open-source client: github.com/byimprint/mcp-server (MIT). npm: @byimprint/mcp-server. - -| Field | Value | -|-------|-------| -| **Grade** | **B** | -| **Risk Score** | 17 | -| **Version** | `smithery` | -| **Vendor** | Smithery | -| **Source** | [james-bf0v-imprint-intelligence](https://smithery.ai/server/james-bf0v/imprint-intelligence) | -| **Scan Date** | 2026-05-25 | -| **Scanner** | tooltrust-scanner/v0.3.12 | - ---- - -## Findings Summary - -| Severity | Count | -|----------|:-----:| -| Critical | 0 | -| High | 1 | -| Medium | 0 | -| Low | 3 | -| Info | 7 | - -## Detailed Findings - -### 🟠 🔑 `AS-002` — Excessive Permission Surface - -**Severity:** High - -**Description:** -tool declares network permission - -**Recommendation:** -Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories. - ---- - -### 🔵 ⚡ `AS-011` — DoS Resilience — Missing Rate Limit / Timeout - -**Severity:** Low - -**Description:** -tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration - -**Recommendation:** -Declare explicit rate-limit, timeout, and retry configuration for all network and execution tools. Implement exponential back-off and surface resource state to the calling agent. - ---- - -### ⚪ `AS-014` — DEPENDENCY_INVENTORY_UNAVAILABLE - -**Severity:** Info - -**Description:** -Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited. - -**Recommendation:** -Review and remediate the identified issue. - ---- - -### ⚪ `AS-014` — DEPENDENCY_INVENTORY_UNAVAILABLE - -**Severity:** Info - -**Description:** -Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited. - -**Recommendation:** -Review and remediate the identified issue. - ---- - -### 🔵 🔑 `AS-002` — Excessive Permission Surface - -**Severity:** Low - -**Description:** -input schema exposes 12 properties (threshold: 10) - -**Recommendation:** -Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories. - ---- - -### ⚪ `AS-014` — DEPENDENCY_INVENTORY_UNAVAILABLE - -**Severity:** Info - -**Description:** -Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited. - -**Recommendation:** -Review and remediate the identified issue. - ---- - -### ⚪ `AS-014` — DEPENDENCY_INVENTORY_UNAVAILABLE - -**Severity:** Info - -**Description:** -Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited. - -**Recommendation:** -Review and remediate the identified issue. - ---- - -### ⚪ `AS-014` — DEPENDENCY_INVENTORY_UNAVAILABLE - -**Severity:** Info - -**Description:** -Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited. - -**Recommendation:** -Review and remediate the identified issue. - ---- - -### ⚪ `AS-014` — DEPENDENCY_INVENTORY_UNAVAILABLE - -**Severity:** Info - -**Description:** -Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited. - -**Recommendation:** -Review and remediate the identified issue. - ---- - -### 🔵 🔑 `AS-002` — Excessive Permission Surface - -**Severity:** Low - -**Description:** -input schema exposes 11 properties (threshold: 10) - -**Recommendation:** -Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories. - ---- - -### ⚪ `AS-014` — DEPENDENCY_INVENTORY_UNAVAILABLE - -**Severity:** Info - -**Description:** -Tool did not expose metadata.dependencies or repo_url, so supply-chain coverage is limited. - -**Recommendation:** -Review and remediate the identified issue. - ---- - -*Scored using [ToolTrust methodology](../methodology.md) · [Raw JSON report](../../data/reports/james-bf0v-imprint-intelligence.json)* diff --git a/pkg/sync/github.go b/pkg/sync/github.go index fec501541..98088a306 100644 --- a/pkg/sync/github.go +++ b/pkg/sync/github.go @@ -230,6 +230,9 @@ func loadReports(dir string) ([]Report, error) { func isPublicReport(r Report) bool { if strings.Contains(r.SourceURL, "github.com") && r.Stars < MinPublicGitHubStars { + if r.Category == "Scan Request" { + return true + } return false } return true diff --git a/pkg/sync/github_test.go b/pkg/sync/github_test.go index 2cd945db4..6ebfcacd1 100644 --- a/pkg/sync/github_test.go +++ b/pkg/sync/github_test.go @@ -222,6 +222,35 @@ func TestLoadReports(t *testing.T) { } } +func TestLoadReportsIncludesScanRequestBelowStarFloor(t *testing.T) { + dir := t.TempDir() + + scanRequest := `{"tool_id":"requested","version":"1.0.0","grade":"B","risk_score":17, + "scan_date":"2026-01-01T00:00:00Z","scanner":"tooltrust-scanner/0.1.2", + "source_url":"https://github.com/example/requested","stars":4,"category":"Scan Request", + "findings":[],"summary":{"critical":0,"high":0,"medium":0,"low":0,"info":0}, + "methodology":"https://example.com/methodology"}` + os.WriteFile(filepath.Join(dir, "requested.json"), []byte(scanRequest), 0o644) + + lowStarDiscovery := `{"tool_id":"low-star","version":"1.0.0","grade":"A","risk_score":0, + "scan_date":"2026-01-01T00:00:00Z","scanner":"tooltrust-scanner/0.1.2", + "source_url":"https://github.com/example/low-star","stars":4, + "findings":[],"summary":{"critical":0,"high":0,"medium":0,"low":0,"info":0}, + "methodology":"https://example.com/methodology"}` + os.WriteFile(filepath.Join(dir, "low-star.json"), []byte(lowStarDiscovery), 0o644) + + reports, err := loadReports(dir) + if err != nil { + t.Fatalf("loadReports: %v", err) + } + if len(reports) != 1 { + t.Fatalf("expected 1 public report, got %d", len(reports)) + } + if reports[0].ToolID != "requested" { + t.Fatalf("expected requested scan to be public, got %q", reports[0].ToolID) + } +} + func TestUpdateRegistryDollarInDescription(t *testing.T) { dir := t.TempDir() reportsDir := filepath.Join(dir, "data", "reports")