OpenA2A: CLI · HackMyAgent · Secretless · AIM · Browser Guard · DVAA

opena2a

Open-source security platform for AI agents. Installed as opena2a-cli on npm.

npx opena2a-cli review

  OpenA2A Security Review  v0.8.11

  Findings
  -----------------------------------------------
  Credential scan        3 hardcoded keys
  Shadow AI              2 agents, 4 MCP servers
  Config integrity       unsigned
  Governance             no SOUL.md
  -----------------------------------------------
  Security Score   30 / 100  -> 85 by running opena2a protect

  Run: opena2a protect    (fix all findings)

All demos

Install globally if you prefer:

npm install -g opena2a-cli
brew tap opena2a-org/tap && brew install opena2a

Built-in Help

You do not need this README. The CLI has built-in discovery:

opena2a ?                           # Contextual recommendations for your project
opena2a ~shadow ai                  # Semantic search across all commands
opena2a "find leaked credentials"   # Natural language command matching
opena2a                             # Interactive guided wizard (no args)

Commands

Command	What it does
`opena2a review`	Full security dashboard — HTML report, 6-phase assessment
`opena2a detect`	Find shadow AI agents, MCP servers, AI configs. Governance score.
`opena2a protect`	Fix everything — credentials, .gitignore, config signing
`opena2a init`	Read-only security assessment with trust score
`opena2a identity create`	Cryptographic identity for your project
`opena2a harden-soul`	Generate SOUL.md governance rules
`opena2a scan`	204 security checks via HackMyAgent
`opena2a shield init`	Full security setup — all of the above, one command

Full command reference: opena2a.org/docs

Ecosystem

Each command routes to a specialized tool, installed on first use:

Command	Tool	Description
`detect`	Shadow AI	Discover AI agents, MCP servers, AI configs
`identity`	AIM	Cryptographic identity, audit logs, trust scoring
`scan`	HackMyAgent	204 security checks, 115 attack payloads, auto-fix
`scan-soul`	SOUL Scanner	72 governance controls, 9 domains, 6 profiles
`harden-skill`	Skill Hardener	Frontmatter validation, permission scoping, integrity pinning
`secrets`	Secretless AI	Credential management for AI coding tools
`mcp`	MCP Security	Audit, sign, and verify MCP server configurations
`benchmark`	OASB	222 attack scenarios, compliance scoring
`train`	DVAA	Vulnerable AI agent for security training
`create`	Skill Scaffolding	Secure skill templates with signing and heartbeat
`guard harden`	HackMyAgent	Scan skills for hardening issues, auto-fix

Use Cases

Developer using AI coding tools — 5 minutes
Security team assessing AI risk — 10 minutes
MCP server author — 15 minutes
CI/CD pipeline integration

Docs

Full command reference, Shield subcommands, scope drift detection, behavioral governance, credential patterns, and CI/CD examples: opena2a.org/docs

Requirements

Node.js >= 18
Optional: Docker (for opena2a train)

License

Apache-2.0

Website · Docs · Discord · GitHub

Version	Changes	Urgency	Date
v0.8.23	### Bug Fixes - `--server cloud` now resolves to `https://aim.oa2a.org` (AIM Cloud Phase 7 backend). Previously pointed to `api.aim.opena2a.org`, which serves a different product (community). Bare `aim.opena2a.org` still routes to `api.aim.opena2a.org` for community users. - Updated `--server` help text and login error message to reference the new default. ### Install - npm: `npm install -g opena2a-cli@0.8.23` - Homebrew: `brew upgrade opena2a`	High	4/14/2026
v0.8.19	Bump MIN_HMA_VERSION to 0.15.7 for unified publish endpoint support	High	4/9/2026
v0.8.16	## What's New - Runtime HMA version check: Warns when installed hackmyagent is below minimum required version (0.15.6) - Prevents confusing errors when using GitHub repo scanning with old HMA - GitHub target routing from feat/github-check now included	High	4/9/2026

opena2a

Description

README

opena2a

Built-in Help

Commands

Ecosystem

Use Cases

Docs

Requirements

License

Release History

Dependencies & License Audit

Similar Packages