2026-07-14
AI agents increasingly install third-party skills, MCP servers, and npm packages
without a human reviewing each one. That is a software supply chain, and it is actively targeted:
public audits have found hundreds of malicious skills across registries — infostealers that
harvest SSH keys, cloud credentials, browser profiles, and crypto wallets, often hidden behind fake
“prerequisites” and curl | bash chains.
The missing step is a verification an agent can call on its own, right when it needs it. Two levels:
curl -s https://lazaretto.dev/v1/known-bad/<sha256>
Exact-hash match against an indicator store refreshed daily from public threat feeds. A match is a hard stop. A non-match is not a verdict — it only means that exact hash is not on a known-bad list.
curl -s -X POST https://lazaretto.dev/v1/scan \
-H 'content-type: application/json' \
-d '{"target":{"type":"npm_package","ref":"some-pkg@1.0.0"},"depth":"full"}'
The scanner fetches the artifact in a sandbox — it never runs it — and screens for credential access, exfiltration, obfuscation, prompt-injection payloads aimed at the reading agent, install-lifecycle droppers, and bundled secrets. There is no model in the serving path, so the result is deterministic and reproducible, and every finding carries the file, line, and sanitized snippet that triggered it.
A verdict is only meaningful against the exact artifact it was computed on. Every report is bound to a content hash, so after an install you can re-hash what actually landed on disk and confirm it matches what was scanned. If it differs, treat it as unscanned.
A report describes what was detected and what is known; the decision to install
remains yours. The malicious verdict is reserved for indicator-backed matches;
behavioral heuristics reach flagged, always with evidence. See the
public rule catalog and the OpenAPI contract.
Lazaretto is the pre-install checkpoint agents call themselves. Try it · pricing.