Continuous security scanning of public AI agent skill registries. The "Mozilla Observatory" for AI agents.
Aguara Observatory crawls every public AI agent skills registry and MCP server directory, scans them with Aguara (a deterministic security scanner for AI agents), and publishes the results as open data.
Registries monitored:
- skills.sh — 60,000+ skills
- ClawHub — 5,000+ skills
- PulseMCP — 8,600+ MCP servers
- mcp.so — 17,000+ MCP servers
- LobeHub — 5,000+ plugins
Cron (daily)
├── crawl-skills-sh.yml (4 shards A-F/G-L/M-R/S-Z)
├── crawl-clawhub.yml (1 job)
└── crawl-mcp.yml (3 jobs: PulseMCP, mcp.so, LobeHub)
│
▼
scan.yml (download Aguara binary, scan all)
│
▼
aggregate.yml (scores, stats, trends)
│
▼
publish.yml (build Astro → GitHub Pages)
- Crawlers: Python scripts that discover and download skill/server content
- Scanner: Runs Aguara on downloaded content
- Aggregator: Computes scores (A-F), daily stats, trends, benchmarks
- Dashboard: Static Astro site served via GitHub Pages
- Database: Turso (SQLite edge) for persistent state
- API: Static JSON files generated by aggregator
Each skill starts at 100 points:
- CRITICAL finding: -25 points
- HIGH finding: -15 points
- MEDIUM finding: -8 points
- LOW finding: -3 points
| Grade | Score Range |
|---|---|
| A | 90-100 |
| B | 75-89 |
| C | 50-74 |
| D | 25-49 |
| F | 0-24 |
# Install Python dependencies
make install
# Initialize database (local SQLite for dev)
make init-db
# Run tests
make test| Variable | Description |
|---|---|
TURSO_DATABASE_URL |
Turso database URL (or file:observatory.db for local) |
TURSO_AUTH_TOKEN |
Turso auth token |
AGUARA_BIN |
Path to Aguara binary (auto-downloaded if not set) |
# Crawl a single registry
make crawl-skills-sh ARGS="--shard A-F"
make crawl-clawhub
# Run scan on crawled files
make scan SKILLS_DIR=data/skills-sh/
# Aggregate and export
make aggregate
# Build dashboard
make web-buildGenerated at web/public/api/v1/:
| Endpoint | Description |
|---|---|
/api/v1/stats.json |
Global statistics |
/api/v1/registries.json |
Registry list with stats |
/api/v1/registries/{id}/stats.json |
Per-registry stats |
/api/v1/skills/{registry}/{slug}.json |
Individual skill report |
/api/v1/trends/weekly.json |
Weekly trends (52 weeks) |
/api/v1/categories.json |
Finding counts by category |
/api/v1/benchmarks/vendors.json |
Vendor comparison metrics |
/api/v1/feed/recent.json |
Recent critical findings |
/api/v1/datasets/manifest.json |
CSV/JSON download links |
Apache-2.0