What is Vulkro Labs?
Vulkro Labs is the free, open-source side of Vulkro: a single keyless
CLI, vulkro-live, that vets everything entering your project through an
AI agent. The packages the agent suggests, the MCP servers and tools it
trusts, the skills and slash commands it runs, the memory it stores, and
the peer agents it talks to.
The boundary with the paid product is one sentence: Labs vets what enters your project; the paid engine analyzes the code you ship. The Vulkro detection engine (SAST, dataflow, secrets, IaC, compliance evidence) is a separate, closed product. Only the Labs tools are open source (MIT OR Apache-2.0), at github.com/vulkro/vulkro-labs. The Labs overview page has the short marketing version of this section.
Three properties hold for every command:
- Keyless. No account, no API key, no backend.
- Local. Only public metadata (package names, versions, tool manifests) leaves your machine. Your source code never does. Several commands are fully offline.
- CI-ready. Every finding-producing command takes
--format text,json, orsarif, exits0when clean,1when something is flagged, and2on an error. See Output formats and exit codes.
The twelve commands
| Command | What it answers |
|---|---|
verify | Is this package real, non-malicious, and reputable, before I install it? |
foresee | Which slopsquat names is an AI likely to invent for this project, and are any already registered as traps? |
warden | Is this MCP tool manifest (or this untrusted tool result) trying to steer my agent? |
inspect | Is this MCP server safe to add? One GREEN / REVIEW / AVOID verdict. |
audit | What is my whole agent surface right now, and what on it is risky? |
skillscan | Do the scripts my skills actually run match what their descriptions claim? |
memcheck | Has anything poisoned my agent's stored long-term memory? |
trustdb | How do I clear a reviewed artifact once so every tool trusts that exact version? |
lock | Fingerprint the MCP tools I approved into a committable lock file. |
drift | Did any approved MCP tool silently change since the lock (a rug pull)? |
cardcheck | Should my agent trust this A2A peer agent's card? |
mcp | Run all of this as an MCP server so the agent checks things in the loop. |
Where Labs sits in a scan pipeline
Labs runs at the entry gate, before anything is installed or trusted.
The paid vulkro binary runs after, on the code you wrote:
- Agent suggests a dependency:
verify(or themcpserver) clears it before install. - You add an MCP server:
inspectgives a verdict,wardenscans its tools,lockpins what you approved,driftcatches later swaps. - Periodically or in CI:
audit,skillscan, andmemchecksweep the whole agent surface;foreseemaps the traps planted for your stack. - Reviewed exceptions go in the trust store, committed and PR-reviewed like code.
- The code you ship goes through the Vulkro engine: full-repo SAST, dependency CVEs, secrets, IaC, compliance evidence.
Start with Install, then work through the commands in the sidebar.