Warden

Warden

Warden provides a trusted skill brain for open agents, enabling secure execution of curated, cryptographically-signed skills with sandboxing, trust scoring, and transparency logging, all with zero third-party dependencies.

Category
访问服务器

README

Warden — the trusted skill brain for open agents

CI License: Apache 2.0 Python 3.8+ Dependencies: zero Self-test: 75/75

Connect your open-source agent to one endpoint, and it gains a curated, cryptographically-signed, sandboxed set of skills — without poisoning it.

Live → https://warden-8c4.pages.dev/ · browse the trust-graded registry · mirror

The world has thousands of places to find agent skills and almost nowhere trustworthy to run them. Warden is the run-trust layer: not a bigger directory, a vouched-for one. It is OSS-native, local-first, and opinionated about curation — and it treats trust as a signal, not a guarantee.

This repository is the trust core (Phase 0) — the Agent Skill Trust Spec, a curated hardened skill-pack, and a working reference local node — plus the Phase 1–4 capabilities built as reference implementations (sandboxed execution, private encrypted memory, knowledge packs, governance, the Scan API). Pure Python standard library — zero third-party dependencies. Nothing leaves your box.


The magic moment

One config line points any MCP-speaking agent at Warden. Within a minute it has a curated skill set where every skill is visibly signed, sandboxed, and trust-scored — capability and provenance in the same breath:

$ py examples/mcp_client_smoke.py

[warden] pinned curator key warden:cd015c720e6027fd
[warden] transparency log: 5 entries, root sha256:491104b0…, integrity OK
[warden] VERIFIED  build-brain/build-product        [Warden PROVISIONAL A/99 ✓]
[warden] VERIFIED  build-brain/ship-gate            [Warden A/100 ✓]
[warden] VERIFIED  compliance-brain/secret-sentinel [Warden PROVISIONAL C/79 ✓]
[warden] VERIFIED  research-brain/fact-gate         [Warden A/100 ✓]
[warden] VERIFIED  research-brain/idea-scout        [Warden A/100 ✓]
[warden] ready: 5 skill(s) exposed, 0 refused (deny-by-default)

…and when the agent calls a skill, it gets the skill with its provenance:

=== WARDEN PROVENANCE ==========================================
skill        : research-brain/idea-scout v1.0.0
trust        : [Warden A/100 ✓]  (a SIGNAL, not a guarantee)
pinned hash  : sha256:208b0208cd3c…
capabilities : no network, no filesystem, no shell, no secrets
sandbox      : isolated-no-net (deny-by-default; cannot act outside this envelope)
verified now : VERIFIED (11/11 checks)
================================================================

Quickstart (≈60 seconds)

Requires Python 3.8+ (on Windows use the py launcher). No pip install.

# 1. generate your curator key (the root of trust; the private seed is gitignored)
py -m warden keygen

# 2. scan + sign + log + register every curated skill
py -m warden sign-all

# 3. cold-verify everything (re-derives the hash, checks the signature, re-scans,
#    recomputes the trust score, checks the transparency log)
py -m warden verify-all

# 4. see the curated set and the public log
py -m warden list
py -m warden audit

# 5. run the reference MCP node (stdio), or drive it with the demo client
py -m warden serve
py examples/mcp_client_smoke.py

# prove the scanner: a deliberately poisoned skill is REJECTED at the door
py -m warden scan skills/_samples/poisoned-weather

# everything verified in one shot
py -m warden selftest        # 75/75 (Phase 0–4)

Wire it into your agent

Point any MCP client at the node. Claude Desktop style:

{
  "mcpServers": {
    "warden": { "command": "py", "args": ["-m", "warden", "serve"],
                "cwd": "C:/path/to/WARDEN" }
  }
}

See examples/ for the full config and a smoke client.

Verify the live registry yourself

You don't have to trust us. Check the curator's signature on the public registry from anywhere — this re-derives the canonical bytes and verifies the Ed25519 signature with Warden's own pure-Python verifier:

import urllib.request, base64, json
from warden import ed25519
from warden.canonical import canonicalize

url = "https://warden-8c4.pages.dev/registry/index.json"
req = urllib.request.Request(url, headers={"User-Agent": "warden-verify/1.0"})  # any UA; some CDNs 403 the default
obj = json.load(urllib.request.urlopen(req, timeout=20))
data = obj["index"]
ok = ed25519.verify(bytes.fromhex(data["curator_key"]),
                    canonicalize(data), base64.b64decode(obj["signature"]))
print("VERIFIED" if ok else "TAMPERED", ed25519.fingerprint(bytes.fromhex(data["curator_key"])))
# -> VERIFIED warden:cd015c720e6027fd

Change one byte of the index and the signature fails. The GitHub mirror serves the identical signed bytes.


Phases 1–4 (now built)

The phase capabilities are now built as reference implementations — local-first, pure standard library, zero third-party dependencies, verified by a 75/75 self-test. The full command surface (py -m warden help):

Capability Command
Run a kind:"code" skill in the sandbox py -m warden run-code <dir> "{...}"
Private per-agent encrypted memory py -m warden memory remember|recall|list
Safe auto-update (re-verify + re-score; refuses escalation) py -m warden update <id> <dir> [--apply]
Shareable scan report py -m warden scan-report <dir> [--sign]
Org allow/deny policy (ALLOW/DENY per skill) py -m warden policy show|init|check
Tamper-evident audit log py -m warden audit-log [N]
The Scan API (Trust-as-a-Service) py -m warden serve-api [--port N]
Trust-graded signed static index → site/registry/ py -m warden build-index [out]
Signed read-only knowledge packs py -m warden kpack list|sign|verify
Host your own skill (private) py -m warden host <dir>
Trust another curator key py -m warden add-root <hex> <name>

What remains is the business rollout, not the code — see Honest scope below and docs/PHASES.md.


The trust architecture (the moat)

Built to the OWASP Agentic Skills Top 10. Six pillars, all real in this repo:

# Pillar Where
1 Content-addressed + Ed25519-signed + pinned — you connect to a hash, not a name. Kills rug-pulls. content_address.py, ed25519.py, sign.py
2 Intake scanning — tool-poisoning, unsafe-exec, SSRF, secret-exfil, obfuscation, and capability drift. scanner.py
3 Capability manifest + deny-by-default — a skill may touch only what it declares. manifest.py, policy.py
4 Sandboxed execution — skills run in a declared profile, never the agent's process. policy.py (profiles)
5 Behavioral trust score — per-version, time-aware; re-publishing re-evaluates. Not a static badge. trust.py
6 Public transparency log — append-only, hash-linked, Merkle-rooted. Nothing changes silently. translog.py

The point the whole project turns on:

Verification of identity is not verification of behavior. A "verified" badge can still turn malicious on its next update. So Warden pins the exact bytes, re-scores every version, scans for drift between what a skill declares and what it does, and writes every change to a public log.

 ┌───────────┐   ┌─────────────┐   ┌─────────────┐   ┌────────────┐
 │ Skills in │──▶│ Scan & sign │──▶│ Skill brain │──▶│ Your agent │
 │ any source│   │ OWASP + hash│   │  sandboxed  │   │ MCP, local │
 └───────────┘   └─────────────┘   └─────────────┘   └────────────┘
   untrusted        [trust ctrl]      [trust ctrl]      your side
   ····················· TRANSPARENCY LOG — every version auditable ··········
   [ pinned hash = no rug-pull ]   [ sandbox = contained ]   [ deny-by-default ]

What's in here

WARDEN/
├── TRUST_SPEC.md          the standard (start here)
├── THREAT_MODEL.md        OWASP Agentic Skills Top 10 → mitigations
├── warden/                the reference node + pipeline (zero-dep stdlib)
├── skills/                curated hardened skill packs + registry + _samples
├── schema/                JSON Schemas (manifest, signature, trust, log entry)
├── keys/                  the pinned curator public key
├── examples/              one-config-line setup + magic-moment smoke client
├── docs/                  positioning, build path, FAQ
└── site/                  the landing + waitlist site (zero-dep static; deploy anywhere)

Landing site

A zero-dependency static site (the launch + waitlist funnel) lives in site/. Run it locally with py -m http.server 4173 --directory site and open http://localhost:4173. Wire one endpoint (WAITLIST_ENDPOINT in site/app.js) before deploying — details in site/README.md.

Honest scope

The Phase 0 curated skills are instruction packs: the node serves their verified text plus a provenance block, and your agent's model follows them. The Phase 1–4 capabilities are now built as reference implementations — local, zero-dep, verified — so sandboxed kind:"code" execution, private encrypted memory, knowledge packs, safe auto-updates, org policy, the audit log, and the Scan API all run today (see the table above and docs/PHASES.md).

What remains is honest and named:

  • The business rollout — hosting, the paid tiers (Pro / Team / Scan API as products), billing, SSO (an integration point, not built), and go-to-market. Reference code existing is not the same as the business being validated, so productizing/hosting stays gated behind a cheap test (see docs/BUILD_PATH.md).
  • Production-grade sandboxing — the kind:"code" sandbox is defense-in-depth at the Python + process layer, not a hard OS sandbox (no seccomp / namespaces). For untrusted code in production, run it in a container / microVM / WASM and enforce the same policy there. The pure-Python Ed25519 and ChaCha20-Poly1305 are real and interop-verified but not constant-time (sign offline / HSM in production).

We would rather ship small and true than over-promise.

How it makes money (without charging for the core)

The core is free forever — it is the funnel, and devs don't pay for cores. Revenue comes from governance (teams), the supply side (a Scan API that vouches for skill authors' and marketplaces' skills), and hosting/convenience. See docs/BUILD_PATH.md.

Positioning in one breath

Not a directory (mcp.so, Glama, Smithery). Not a memory platform (Mem0, Zep, Letta) — memory is a supporting feature here, never the headline. Not a hosted identity-verification play (mcpskills.io, Apigene). Warden is OSS-native + local-first + behavioral-trust + opinionated curation. Full comparison in docs/POSITIONING.md.

Trust is a signal, not a guarantee

Read SECURITY.md before you rely on anything here. We never claim "100% safe"; we claim signed, scanned, contained, scored, and logged.

License

Apache-2.0.

推荐服务器

Baidu Map

Baidu Map

百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。

官方
精选
JavaScript
Playwright MCP Server

Playwright MCP Server

一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。

官方
精选
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。

官方
精选
本地
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。

官方
精选
本地
TypeScript
VeyraX

VeyraX

一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。

官方
精选
本地
graphlit-mcp-server

graphlit-mcp-server

模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。

官方
精选
TypeScript
Kagi MCP Server

Kagi MCP Server

一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。

官方
精选
Python
e2b-mcp-server

e2b-mcp-server

使用 MCP 通过 e2b 运行代码。

官方
精选
Neon MCP Server

Neon MCP Server

用于与 Neon 管理 API 和数据库交互的 MCP 服务器

官方
精选
Exa MCP Server

Exa MCP Server

模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。

官方
精选