Home/agent-protocol/Trust report

Trust and health report

agent-protocol - trust report

Sourced, dated trust signals - maintenance label posture, repository provenance, and security scan status. Not a composite safety grade.

GraphCanon updated today · GitHub synced today

Maintenance

Recency and activity heuristics from public GitHub metadata (maintenance label, momentum); methodology: github_public_v1.

Dormant18% signal

last push 459d ago · last release 2y

Provenance

Repository identity and fork provenance (github_public_v1).

Security scan

Dependency advisory security scan when a lockfile is present. Not a full code audit.

Status
35 low
Last scan
today
Scanner
osv@v1

Findings

GHSA-968p-4wvh-cqc8
@babel/runtime@7.24.4 · package-lock.json
GHSA-cj7v-w2c7-cp7c
@nestjs/common@10.3.0 · package-lock.json
GHSA-36xv-jgw5-4q75
@nestjs/core@10.3.0 · package-lock.json
GHSA-2g4f-4pwh-qvx6
ajv@6.12.6 · package-lock.json
GHSA-35jp-ww65-95wh
axios@1.6.5 · package-lock.json
GHSA-3g43-6gmg-66jw
axios@1.6.5 · package-lock.json
GHSA-3p68-rc4w-qgx5
axios@1.6.5 · package-lock.json
GHSA-3w6x-2g7m-8v23
axios@1.6.5 · package-lock.json
GHSA-43fc-jf86-j433
axios@1.6.5 · package-lock.json
GHSA-445q-vr5w-6q77
axios@1.6.5 · package-lock.json
GHSA-4hjh-wcwx-xvwj
axios@1.6.5 · package-lock.json
GHSA-5c9x-8gcm-mpgx
axios@1.6.5 · package-lock.json
GHSA-62hf-57xw-28j9
axios@1.6.5 · package-lock.json
GHSA-6chq-wfr3-2hj9
axios@1.6.5 · package-lock.json
GHSA-898c-q2cr-xwhg
axios@1.6.5 · package-lock.json
GHSA-8hc4-vh64-cxmj
axios@1.6.5 · package-lock.json
GHSA-fvcv-3m26-pcqx
axios@1.6.5 · package-lock.json
GHSA-hfxv-24rg-xrqf
axios@1.6.5 · package-lock.json
GHSA-j5f8-grm9-p9fc
axios@1.6.5 · package-lock.json
GHSA-jr5f-v2jv-69x6
axios@1.6.5 · package-lock.json
GHSA-m7pr-hjqh-92cm
axios@1.6.5 · package-lock.json
GHSA-p92q-9vqr-4j8v
axios@1.6.5 · package-lock.json
GHSA-pf86-5x62-jrwf
axios@1.6.5 · package-lock.json
GHSA-pmwg-cvhr-8vh7
axios@1.6.5 · package-lock.json
GHSA-q8qp-cvcw-x6jj
axios@1.6.5 · package-lock.json
GHSA-vf2m-468p-8v99
axios@1.6.5 · package-lock.json
GHSA-w9j2-pvgh-6h63
axios@1.6.5 · package-lock.json
GHSA-xhjh-pmcv-23jw
axios@1.6.5 · package-lock.json
GHSA-xx6v-rp6x-q39c
axios@1.6.5 · package-lock.json
GHSA-qwcr-r2fm-qrc7
body-parser@1.20.2 · package-lock.json
GHSA-f886-m6hf-6m8v
brace-expansion@1.1.11 · package-lock.json
GHSA-v6h2-p8h4-qcjw
brace-expansion@1.1.11 · package-lock.json
GHSA-grv7-fg5c-xmjg
braces@3.0.2 · package-lock.json
GHSA-pxg6-pf52-xh8x
cookie@0.6.0 · package-lock.json
GHSA-3xgq-45jj-v275
cross-spawn@7.0.3 · package-lock.json

Method and caveats:these are sourced, dated heuristics from public GitHub data and optional dependency scans. A status like "no criticals found on 2026-07-11" is not a guarantee of safety. Read the full trust methodology · JSON report at /api/graphcanon/tools/agi-inc-agent-protocol/trust.

Common questions

Is agent-protocol maintained?
GraphCanon rates agent-protocol "Dormant" (18% maintenance signal from public GitHub metadata, computed today). Last push was 459 days ago. This is a recency heuristic, not a guarantee the project will stay maintained.
Is agent-protocol safe to use?
Last scanned today (deps profile). Status: 35 low - 35 low finding(s) in the latest scan. GraphCanon does not claim the project is safe or vulnerability-free; review findings on the trust report. GraphCanon does not certify agent-protocol as safe - review maintenance, provenance, and scan findings on this page before adopting.
Is agent-protocol a fork?
No. agent-protocol is not flagged as a fork in GitHub metadata at the time of the last refresh.
Does agent-protocol have known security vulnerabilities?
Last scanned today (deps profile). Status: 35 low - 35 low finding(s) in the latest scan. GraphCanon does not claim the project is safe or vulnerability-free; review findings on the trust report.
How often is the agent-protocol trust report updated?
Trust signals refresh on GitHub ingest/refresh cycles and optional dependency/MCP scans. This report was computed today (methodology github_public_v1).
What does GraphCanon never claim about agent-protocol?
We never publish a composite safety grade, pen-test endorsement, or "verified secure" label for agent-protocol. Signals are sourced heuristics with explicit limits - see trust methodology.
How does GraphCanon assess trust for agent-protocol?
Signals are sourced from public GitHub metadata and optional dependency/MCP manifest scans, each tagged with methodology version and computed date. GraphCanon does not publish a composite safety grade. Read trust methodology for full scope and limits.