74
/ 100
25 days ago
glama

ACR — Agent Composition Records

Interaction profile registry for AI agents. Log interactions to build a behavioral profile, query it through lenses: friction, coverage, stable corridors, failure registry, and trend. 21 tools.

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings
🚨
Secret credentials may flow to a network call
1 flow detected: ACR_API_URL. We can’t prove the destination matches the brand the credential belongs to.
🚨
Known vulnerabilities in dependencies: 2 critical, 1 high
Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.
🔐
You'll be asked for 3 credentials: ACR_MCP_AUTH_TOKEN, ADMIN_SECRET, CRON_SECRET
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// known CVEs in dependencies2 critical1 high1 medium14 low

Disclosed vulnerabilities in this server's declared npm dependencies (via OSV). Whether each is reachable depends on the installed versions.

criticalvitest@1.6GHSA-5xrq-8626-4rwp

When Vitest UI server is listening, arbitrary file can be read and executed

criticalvitest@1.6GHSA-9crc-q9x8-hgqq

Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening

highhono@4.12.14GHSA-88fw-hqm2-52qc

hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard

mediumturbo@2.0GHSA-hcf7-66rw-9f5r

Trubo: Login callback CSRF/session fixation

lowhono@4.12.14GHSA-2gcr-mfcq-wcc3

Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Depend on this server? Get alerted when its CVEs change.Watch this server free →
// required environment variables
This server reads these from process.env. You'll be asked to provide them before it can run.
configACR_API_URL
configACR_ARCH
configACR_DASHBOARD_URL
configACR_DEEP_COMPOSITION
configACR_DEVICE_CLASS
configACR_ENV_PROBE_TARGETS
configACR_IS_SERVER
🔐 secretACR_MCP_AUTH_TOKEN
configACR_PLATFORM
configACR_RESOLVER_URL
configACR_STATE_PATH
🔐 secretADMIN_SECRET
configCHURN_CHECK_ENABLED
configCHURN_THRESHOLD_PER_IP_HOUR
configCOCKROACH_CONNECTION_STRING
🔐 secretCRON_SECRET
configDISPLAY
configNEXT_PUBLIC_ACR_API_URL
configNEXT_PUBLIC_ACR_RESOLVER_URL
configPORT
configREGISTER_CHURN_CHECK_ENABLED
configREGISTER_CHURN_THRESHOLD_PER_IP_HOUR
configREGISTER_POP_REQUIRED
configSLACK_WEBHOOK_URL
configWAYLAND_DISPLAY
// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance — verified publishers only
We have 8 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[![M8ven Score](https://m8ven.ai/badge/mcp/tethral-inc-agentregistry-1dqf9c)](https://m8ven.ai/mcp/tethral-inc-agentregistry-1dqf9c)
commit: df47f6176ed786cb68aea1ff903f76c173461ba9
code hash: 4b6a6e4230fdf3f1cfe99785446a070acab5d838745251d9855ff3f8faf27f63
verified: 6/17/2026, 12:01:49 PM
view raw JSON →