Skip to main content

What is Vulkro Labs?

Vulkro Labs is the free, open-source side of Vulkro: a single keyless CLI, vulkro-live, that vets everything entering your project through an AI agent. The packages the agent suggests, the MCP servers and tools it trusts, the skills and slash commands it runs, the memory it stores, and the peer agents it talks to.

The boundary with the paid product is one sentence: Labs vets what enters your project; the paid engine analyzes the code you ship. The Vulkro detection engine (SAST, dataflow, secrets, IaC, compliance evidence) is a separate, closed product. Only the Labs tools are open source (MIT OR Apache-2.0), at github.com/vulkro/vulkro-labs. The Labs overview page has the short marketing version of this section.

Three properties hold for every command:

  • Keyless. No account, no API key, no backend.
  • Local. Only public metadata (package names, versions, tool manifests) leaves your machine. Your source code never does. Several commands are fully offline.
  • CI-ready. Every finding-producing command takes --format text, json, or sarif, exits 0 when clean, 1 when something is flagged, and 2 on an error. See Output formats and exit codes.

The twelve commands

CommandWhat it answers
verifyIs this package real, non-malicious, and reputable, before I install it?
foreseeWhich slopsquat names is an AI likely to invent for this project, and are any already registered as traps?
wardenIs this MCP tool manifest (or this untrusted tool result) trying to steer my agent?
inspectIs this MCP server safe to add? One GREEN / REVIEW / AVOID verdict.
auditWhat is my whole agent surface right now, and what on it is risky?
skillscanDo the scripts my skills actually run match what their descriptions claim?
memcheckHas anything poisoned my agent's stored long-term memory?
trustdbHow do I clear a reviewed artifact once so every tool trusts that exact version?
lockFingerprint the MCP tools I approved into a committable lock file.
driftDid any approved MCP tool silently change since the lock (a rug pull)?
cardcheckShould my agent trust this A2A peer agent's card?
mcpRun all of this as an MCP server so the agent checks things in the loop.

Where Labs sits in a scan pipeline

Labs runs at the entry gate, before anything is installed or trusted. The paid vulkro binary runs after, on the code you wrote:

  1. Agent suggests a dependency: verify (or the mcp server) clears it before install.
  2. You add an MCP server: inspect gives a verdict, warden scans its tools, lock pins what you approved, drift catches later swaps.
  3. Periodically or in CI: audit, skillscan, and memcheck sweep the whole agent surface; foresee maps the traps planted for your stack.
  4. Reviewed exceptions go in the trust store, committed and PR-reviewed like code.
  5. The code you ship goes through the Vulkro engine: full-repo SAST, dependency CVEs, secrets, IaC, compliance evidence.

Start with Install, then work through the commands in the sidebar.