DEV Community: Anders

Nerq AI Agent Ecosystem Weekly Report for Week Ending 2026-04-20

Anders — Mon, 20 Apr 2026 04:00:25 +0000

Nerq AI Agent Ecosystem Weekly Report for Week Ending 2026-04-20

One-Paragraph Summary

This week, Nerq's AI agent ecosystem continued to expand, indexing over 5,700 new agents and tools, bringing the total indexed assets to a staggering 4.1 million. Notable additions include Sourcebot, which received high trust scores from users and developers alike. Frameworks such as Anthropic and OpenAI remain dominant, while MCP servers like Sourcebot and Voice MCP are gaining traction with advanced functionalities.

This Week in Numbers

Total Agents & Tools Indexed: 248,246
Models & Datasets Indexed: 2,948,908
Total AI Assets Indexed: 4,141,740
New Agents/Tools Added This Week: 5,722

Agent of the Week

Sourcebot

Trust Score: 77.2
Stars on GitHub: 3,200
Description: Enables code search across multiple repository hosts including GitHub, GitLab, Gitea, Gerrit, and Bitbucket with advanced filtering options for exploring large codebases through natural language queries.
GitHub URL

Framework Trends

The top frameworks in the ecosystem remain Anthropic and OpenAI, each with over 7,000 indexed assets. Langchain follows closely with 2,680 entries, while MCP servers contribute 2,066 assets. Notable newcomers include Ollama and HuggingFace, both with 1,900 and 1,239 indexed assets respectively.

MCP Server Growth

This week saw the addition of 710 new MCP servers, with Sourcebot leading as a top newcomer. Other notable additions include Voice MCP, Read Website Fast, Auth0, DebuggAI, and OpenNutrition, all enhancing their respective functionalities through advanced features like code search, voice communication, and web content extraction.

Trust & Compliance

The trust score distribution remains balanced:

High: 8,355 agents
Medium: 171,827 agents
Low: 68,064 agents
Average Trust Score: 50.4

Outlook

Continued growth in the ecosystem is expected as more developers and organizations adopt AI tools and frameworks to enhance their operations and innovation capabilities.

Originally published on nerq.ai

Nerq's AI Agent Ecosystem Weekly Report for Week Ending 2026-04-13

Anders — Mon, 13 Apr 2026 04:00:28 +0000

Nerq's AI Agent Ecosystem Weekly Report for Week Ending 2026-04-13

Summary

This week, Nerq indexed an additional 6,835 agents and tools, bringing the total to 242,524. The ecosystem continues to grow with notable additions in categories such as community and infrastructure. The top newcomer is "ai.newzai.api/NewzAI," a MCP server that offers real-time news headlines across seven regions.

This Week in Numbers

Total Agents & Tools Indexed: 242,524
Models & Datasets Indexed: 2,976,947
Total AI Assets Indexed: 4,164,057
New MCP Servers Added This Week: 445

Agent of the Week

Agent Name: ai.newzai.api/NewzAI

Source: mcp_registry

Trust Score: 71.2

Description: News MCP: real-time headlines & custom news search across 7 regions. Free, just sign in with Google.

For more details, visit the GitHub repository.

Framework Trends

The framework trends remain stable this week. "openai" and "anthropic" continue to dominate with counts of 6,333 and 7,512 respectively. The "mcp" framework has a total count of 2,066.

MCP Server Growth

This week saw the addition of 445 new MCP servers, including notable entries such as:

io.github.shin1219-eng/browser-proof: Evidence-backed web verification for agents.
ai.newzai.api/NewzAI: Real-time headlines & custom news search across seven regions.

Trust & Compliance

The trust score distribution remains balanced with 50.4 as the average, but a significant portion of assets fall into the "low" category (67,791). High-trust assets total 8,836, while medium-trust assets account for 165,897.

Outlook

The ecosystem continues to expand with new additions in various categories. As more high-trust assets are indexed, the overall reliability of the AI agent ecosystem improves.

Originally published on nerq.ai

Nerq AI Agent Ecosystem Weekly Report - Week Ending 2026-04-06

Anders — Mon, 06 Apr 2026 04:00:35 +0000

Nerq AI Agent Ecosystem Weekly Report - Week Ending 2026-04-06

One-Paragraph Summary

This week, Nerq indexed an additional 10,325 new agents and tools, bringing the total to 235,689. The ecosystem continues to grow with a focus on community and coding categories, while MCP servers and trust scores provide insights into the reliability of the assets.

This Week in Numbers

Total Agents, Tools & MCP Servers Indexed: 235,689
Models & Datasets Indexed: 3,116,478
Total AI Assets Indexed: 4,338,354
New Agents/Tools Added This Week: 10,325

Agent of the Week

Name: io.github.agentndx/agentindex

Source: mcp_registry

Trust Score: 71.2

Description: Search 15K+ MCP services, A2A agents, and x402 APIs from 5 registries. Paid via x402 (USDC on Base).

URL: https://github.com/agentndx/agentndx

This week's Agent of the Week, io.github.agentndx/agentindex, offers a comprehensive search tool for MCP services and A2A agents across multiple registries. With a high trust score of 71.2, it stands out as an essential resource for users seeking diverse AI assets.

Framework Trends

Anthropic: Total 7,512, No New This Week
OpenAI: Total 6,333, No New This Week
LangChain: Total 2,680, No New This Week
MCP: Total 2,066, No New This Week
Ollama: Total 1,900, No New This Week
HuggingFace: Total 1,239, No New This Week
Autogen: Total 1,114, No New This Week
CrewAI: Total 809, No New This Week
LlamaIndex: Total 466, No New This Week
A2A: Total 191, No New This Week
Semantic Kernel: Total 166, No New This Week

The framework trends show a stable distribution with no new additions this week. Anthropic and OpenAI remain the most indexed frameworks, followed by LangChain and MCP.

MCP Server Growth

New MCP Servers Added This Week: 580 Top New MCP Servers:
io.github.agentndx/agentindex - Search 15K+ MCP services, A2A agents, and x402 APIs from 5 registries.
com.truthifi/mcp - Connects AI agents to live, verified financial data from 18,000+ institutions.
io.github.mananmodi-product/caelian - Live competitive intelligence for B2B teams.
com.tapetide/stock-research-mcp - Indian stock market research: quotes, financials, technicals, screener, FII/DII and market insights.
io.github.asume21/music-theory-mcp - Scales, chords, progressions, key detection, and genre intelligence for your AI.

This week saw a significant addition of 580 new MCP servers, with several notable entries focusing on financial data, competitive intelligence, and music theory.

Trust & Compliance

High Trust Score Assets: 8,833
Medium Trust Score Assets: 162,387
Low Trust Score Assets: 64,469
Average Trust Score: 50.5

The trust score distribution indicates a balanced ecosystem with the majority of assets falling within the medium trust category.

Outlook

Nerq continues to expand its coverage and reliability, with steady growth in community and coding categories, as well as new MCP servers enhancing the diversity of available AI assets.

Originally published on nerq.ai

AI Agent Ecosystem Weekly — 2026-03-30

Anders — Mon, 30 Mar 2026 04:00:03 +0000

AI Agent Ecosystem Weekly — 2026-03-30

The Nerq index now tracks 225,604 agents, tools, and MCP servers alongside 3,151,283 models and datasets. This week, 7,982 new entries were added to the index.

This Week in Numbers

4,414,491 total AI assets indexed
7,982 new agents and tools this week
850 new MCP servers
50.4 average trust score

Agent of the Week

SceneView (pulsemcp) — Trust Score: 73.5

3D and AR scene management framework with tools for controlling cameras, nodes, lighting, and augmented reality experiences.

Top New Agents

Name	Source	Trust	Stars
SceneView	pulsemcp	74	1137
FirstData	pulsemcp	73	144
Todoist Extended	pulsemcp	72	6
io.github.mctx-ai/example-app	mcp_registry	71	—
io.carbone/carbone-mcp	mcp_registry	71	—

Framework Trends

Framework	Total Agents	New This Week
anthropic	7,543	+0
openai	6,358	+0
langchain	2,690	+0
mcp	2,068	+0
ollama	1,907	+0
huggingface	1,244	+0
autogen	1,122	+0
crewai	813	+0

Trust Distribution

High trust (70+): 8,891
Medium trust (40-69): 153,459
Low trust (<40): 63,254

Outlook

The agent ecosystem continues to expand. MCP adoption remains strong with 850 new servers this week.

Data from the Nerq index. Generated 2026-03-30.

Originally published on nerq.ai

AI Agent Ecosystem Weekly — 2026-03-23

Anders — Mon, 23 Mar 2026 05:00:03 +0000

AI Agent Ecosystem Weekly — 2026-03-23

The Nerq index now tracks 217,622 agents, tools, and MCP servers alongside 3,151,281 models and datasets. This week, 10,171 new entries were added to the index.

This Week in Numbers

4,403,428 total AI assets indexed
10,171 new agents and tools this week
2913 new MCP servers
50.3 average trust score

Agent of the Week

Apache AGE Graph (pulsemcp) — Trust Score: 75.2

Bridges Claude with PostgreSQL databases using Apache AGE graph extension, enabling natural language execution of Cypher queries for graph operations, relationship analysis, and data visualization without complex SQL.

Top New Agents

Name	Source	Trust	Stars
Apache AGE Graph	pulsemcp	75	3
Oracle v2	pulsemcp	70	41
Pica	pulsemcp	70	11
Antseer	pulsemcp	69	10
io.emc2ai/einstein	mcp_registry	68	—

Framework Trends

Framework	Total Agents	New This Week
anthropic	7,543	+0
openai	6,358	+0
langchain	2,690	+0
mcp	2,068	+0
ollama	1,907	+0
huggingface	1,244	+0
autogen	1,122	+0
crewai	813	+0

Trust Distribution

High trust (70+): 8,881
Medium trust (40-69): 146,317
Low trust (<40): 62,424

Outlook

The agent ecosystem continues to expand. MCP adoption remains strong with 2913 new servers this week.

Data from the Nerq index. Generated 2026-03-23.

Originally published on nerq.ai

Adding Trust Score Checks to Your CI/CD Pipeline

Anders — Mon, 16 Mar 2026 12:30:37 +0000

Your CI pipeline runs linters, tests, and type checkers. But it does not tell you if the AI package someone just added to requirements.txt has a trust score of 29 and two unpatched CVEs. Adding a trust score check takes five minutes and catches problems before they reach production.

Here is how to add Nerq's preflight API to your CI/CD pipeline.

The Preflight API

Nerq exposes a simple REST endpoint for trust verification:

curl "https://nerq.ai/v1/preflight?target=langchain"

Response:

{
  "target": "langchain",
  "trust_score": 82,
  "grade": "A",
  "recommendation": "PROCEED",
  "risk_level": "low",
  "known_cves": 0,
  "license": "MIT",
  "last_commit_days_ago": 2,
  "alternatives": [],
  "response_time_ms": 12.3
}

No API key required. No authentication. The endpoint supports CORS and returns results in under 50ms for cached queries.

For multiple packages, use the batch endpoint:

curl -X POST "https://nerq.ai/v1/preflight/batch" \
  -H "Content-Type: application/json" \
  -d '{"targets": ["langchain", "openai", "sketchy-agent"]}'

The batch endpoint handles up to 50 packages per request.

GitHub Actions Integration

Here is a workflow step that checks all Python dependencies and fails if any score below a threshold:

# .github/workflows/trust-check.yml
name: Dependency Trust Check
on:
  pull_request:
    paths:
      - 'requirements*.txt'
      - 'pyproject.toml'

jobs:
  trust-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Extract dependencies
        id: deps
        run: |
          # Extract package names from requirements.txt
          PACKAGES=$(grep -v '^#' requirements.txt | sed 's/[>=<].*//' | tr '\n' ',' | sed 's/,$//')
          echo "packages=$PACKAGES" >> $GITHUB_OUTPUT

      - name: Nerq Preflight Check
        run: |
          THRESHOLD=50
          FAILED=0
          IFS=',' read -ra PKGS <<< "${{ steps.deps.outputs.packages }}"
          for pkg in "${PKGS[@]}"; do
            pkg=$(echo "$pkg" | xargs)  # trim whitespace
            [ -z "$pkg" ] && continue
            RESULT=$(curl -s "https://nerq.ai/v1/preflight?target=$pkg")
            SCORE=$(echo "$RESULT" | jq -r '.trust_score // 0')
            GRADE=$(echo "$RESULT" | jq -r '.grade // "?"')
            REC=$(echo "$RESULT" | jq -r '.recommendation // "UNKNOWN"')
            echo "$pkg: $SCORE/100 ($GRADE) — $REC"
            if [ "$SCORE" -lt "$THRESHOLD" ]; then
              echo "::error::$pkg has trust score $SCORE (below threshold $THRESHOLD)"
              FAILED=1
            fi
          done
          if [ "$FAILED" -eq 1 ]; then
            echo "::error::One or more dependencies failed the trust check."
            exit 1
          fi

This workflow runs on every PR that modifies dependency files. It extracts package names, queries the preflight API for each one, and fails the check if any score falls below the threshold.

Shell Script for Any CI System

Not on GitHub Actions? Here is a standalone script that works with any CI:

#!/bin/bash
# trust-check.sh — fail if any dependency scores below threshold
THRESHOLD=${1:-50}
FAILED=0

while IFS= read -r line; do
  pkg=$(echo "$line" | sed 's/[>=<].*//' | xargs)
  [ -z "$pkg" ] || [[ "$pkg" == \#* ]] && continue

  result=$(curl -s "https://nerq.ai/v1/preflight?target=$pkg")
  score=$(echo "$result" | jq -r '.trust_score // 0')
  grade=$(echo "$result" | jq -r '.grade // "?"')
  rec=$(echo "$result" | jq -r '.recommendation // "UNKNOWN"')

  if [ "$score" -lt "$THRESHOLD" ]; then
    echo "FAIL: $pkg — $score/100 ($grade) $rec"
    FAILED=1
  else
    echo "OK:   $pkg — $score/100 ($grade) $rec"
  fi
done < requirements.txt

exit $FAILED

Run it in any CI: bash trust-check.sh 50

npm / Node.js Variant

For package.json, extract dependencies with jq:

PACKAGES=$(jq -r '.dependencies // {} | keys[]' package.json)
for pkg in $PACKAGES; do
  curl -s "https://nerq.ai/v1/preflight?target=$pkg" | \
    jq -r '"  \(.target): \(.trust_score)/100 (\(.grade)) — \(.recommendation)"'
done

What the API Returns

Each preflight response includes:

trust_score: 0-100 composite score
grade: A+ through F
recommendation: PROCEED (score >= 60), CAUTION (40-59), DENY (below 40)
risk_level: low, medium, high
known_cves: count of known vulnerabilities
license: detected license type
alternatives: higher-scored packages in the same category (when score is low)

Try It Now

Pick a package and run the curl command. No signup, no API key:

curl "https://nerq.ai/v1/preflight?target=your-package-here"

Add the GitHub Actions step to your next PR and see what your dependency tree actually looks like from a trust perspective.

Nerq indexes 5M+ AI assets with trust scores. Available as a browser extension, VS Code extension, GitHub App, MCP Server, and API. nerq.ai

Check AI Package Trust Scores Without Leaving VS Code

Anders — Mon, 16 Mar 2026 12:30:01 +0000

I spend most of my day in VS Code. When I add a new dependency, I do not want to switch to a browser, search for the package, check its GitHub, scan for CVEs, and then come back. I want the trust signal right there in my editor.

So I built a VS Code extension that shows trust scores for AI packages and tools inline, without breaking my flow.

The Workflow Problem

Here is what adding a dependency usually looks like:

You hear about a package or an AI assistant suggests one
You add it to package.json or requirements.txt
You run npm install or pip install
Maybe you check the GitHub page. Maybe you do not.
You move on

Step 4 is where the security decision should happen, but it rarely does because it requires context-switching. By the time you have checked the repo, read the issues, and searched for CVEs, you have lost 5 minutes and your focus.

How the Extension Works

The Nerq VS Code extension adds trust scoring directly into your editor:

Inline annotations: When you open a package.json, requirements.txt, pyproject.toml, or go.mod file, the extension annotates each dependency with its trust score and grade. You see the score right next to the package name as a CodeLens annotation.

Hover details: Hover over any dependency to see the full trust breakdown — maintenance score, security flags, license type, last commit date, and recommendation (PROCEED/CAUTION/DENY).

Command palette: Run "Nerq: Check Package" from the command palette to look up any package by name. Useful when you are evaluating options before adding a dependency.

Status bar: The status bar shows a summary for the current file — how many dependencies are in each trust tier (green/amber/red).

Installation

Install from the VS Code Marketplace or from a .vsix file:

From Marketplace:

Open VS Code
Go to Extensions (Ctrl+Shift+X)
Search "Nerq Trust Score"
Click Install

From .vsix (for pre-release or offline):

Download the latest .vsix from nerq.ai/vscode
In VS Code, open the command palette (Ctrl+Shift+P)
Run "Extensions: Install from VSIX..."
Select the downloaded file

No API key needed. The extension calls the public Nerq API.

What You See

Open a requirements.txt that looks like this:

langchain==0.1.0
openai==1.12.0
sketchy-agent==0.0.3

The extension adds CodeLens annotations:

langchain==0.1.0        # Trust: 82/100 (A) PROCEED
openai==1.12.0          # Trust: 88/100 (A+) PROCEED
sketchy-agent==0.0.3    # Trust: 31/100 (D) DENY — 2 CVEs, no license

Hovering over sketchy-agent shows:

Trust Score: 31/100 (Grade: D)
Recommendation: DENY
Last commit: 14 months ago
License: None detected
Known CVEs: 2 (1 high, 1 medium)
Alternatives: crewai (78), autogen (75)

Configuration

The extension is zero-config by default, but you can customize it in VS Code settings:

{
  "nerq.threshold": 50,
  "nerq.showInline": true,
  "nerq.showStatusBar": true,
  "nerq.highlightDeny": true
}

Set nerq.threshold to control which score triggers a warning. Set nerq.highlightDeny to add a red underline to packages with a DENY recommendation.

Privacy

The extension sends only package names to nerq.ai/v1/preflight. No code, no file contents, no telemetry. Requests are cached locally for 5 minutes to minimize network calls.

Try It

Install the extension and open any dependency file. The trust scores appear automatically. If a package looks risky, hover for details and alternatives.

Nerq indexes 5M+ AI assets with trust scores. Available as a browser extension, VS Code extension, GitHub App, MCP Server, and API. nerq.ai

Building a Trust Score MCP Server for Claude and Cursor

Anders — Mon, 16 Mar 2026 12:29:25 +0000

The Model Context Protocol (MCP) lets AI assistants call external tools. Claude, Cursor, Windsurf, and other MCP-compatible clients can discover and invoke tools at runtime — which means your AI assistant can check whether a package is safe before it recommends it to you.

I built an MCP server that exposes Nerq's trust scoring engine as a set of tools any MCP client can call. Here is how to set it up and what it can do.

What MCP Is (30-Second Version)

MCP is a standard for connecting AI assistants to external data and tools. Instead of the assistant guessing or hallucinating, it calls a tool that returns real data. An MCP server exposes tools with JSON Schema inputs and returns structured results. Claude Desktop, Cursor, Windsurf, and others support it natively.

The Nerq MCP Server

The server exposes four tools:

discover_agents — Find AI agents and tools by describing what you need. Returns ranked results with trust scores.
trust_gate — Check if a specific agent or package meets a trust threshold. Returns approve/reject with the score and grade.
trust_compare — Compare two agents side-by-side on trust score, grade, and recommendation.
agent_index_stats — Get current index statistics: total assets, categories, sources.

Setup

Add Nerq to your MCP client configuration. For Claude Desktop, edit ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "nerq": {
      "command": "python",
      "args": ["-m", "agentindex.mcp_server"]
    }
  }
}

For Cursor, add the same block to your MCP settings. For any MCP client that supports stdio transport, the config is identical.

Install the server:

pip install agentindex

Or run from source:

git clone https://github.com/nerq-ai/agentindex.git
cd agentindex
pip install -e .

Using It

Once configured, your AI assistant can call the tools directly. Here are some example interactions:

"Is langchain safe to use?"

The assistant calls trust_gate with name: "langchain" and returns:

langchain — Trust Score: 82/100 (Grade: A)
Recommendation: PROCEED
Maintenance: Active (last commit 2 days ago)
License: MIT
Known CVEs: 0

"Find me an agent for code review"

The assistant calls discover_agents with need: "code review" and returns a ranked list:

1. codex (Score: 85, Grade: A) — OpenAI code review agent
2. crewai (Score: 78, Grade: B+) — Multi-agent framework
3. aider (Score: 76, Grade: B+) — AI pair programming

"Compare autogen and crewai"

The assistant calls trust_compare with both names:

autogen: 75/100 (B+) vs crewai: 78/100 (B+)
Winner: crewai by 3 points
Both: PROCEED

Why This Matters

AI assistants recommend packages constantly. "Use this library," "install this tool," "try this agent." Without trust scoring, those recommendations are based on popularity and training data — not on current maintenance status, security posture, or license compliance.

With the Nerq MCP server, the assistant checks before it recommends. If a package has a trust score of 31 and two unpatched CVEs, the assistant knows that and can suggest alternatives.

This is especially important for agentic workflows. When an agent autonomously selects and invokes other agents, trust scoring is not optional — it is the difference between a working pipeline and a supply chain incident.

The Trust Gate Pattern

The most useful tool is trust_gate. It takes a name and an optional threshold (default 60) and returns a binary approve/reject decision. You can use this in any agentic workflow:

Agent A wants to call Agent B
Agent A calls trust_gate(name="agent-b", threshold=70)
If approved, proceed. If rejected, find an alternative.

This is the simplest form of agent-to-agent trust verification. No API keys, no complex setup — just a tool call.

Try It

Install the MCP server, add it to your Claude or Cursor config, and ask your assistant about a package. The trust data is live and covers 5M+ AI assets.

Nerq indexes 5M+ AI assets with trust scores. Available as a browser extension, VS Code extension, GitHub App, MCP Server, and API. nerq.ai

Automated Dependency Trust Reports on Every PR

Anders — Mon, 16 Mar 2026 12:28:22 +0000

Every dependency change in a pull request is a security decision. But most teams review dependency bumps by glancing at the diff in package.json or requirements.txt and clicking merge. There is no context about whether that new package is maintained, has known vulnerabilities, or even has a license.

I built a GitHub App that fixes this. Every time a PR touches a dependency file, it posts a trust report as a comment with scores, grades, and recommendations for every added or changed package.

The Problem

Your CI pipeline checks if the code compiles and if tests pass. It does not tell you that the new ai-agent-helper package you just added has a trust score of 23/100, no commits in 14 months, and two unpatched CVEs. That context matters more than whether the tests are green.

How It Works

The Nerq GitHub App watches for pull requests that modify dependency files:

package.json / package-lock.json (npm)
requirements.txt / pyproject.toml / Pipfile (Python)
go.mod (Go)
Cargo.toml (Rust)
pom.xml / build.gradle (Java)

When it detects a change, it extracts the added or modified packages, batch-queries the Nerq preflight API, and posts a PR comment with a trust report.

Example Output

Here is what the comment looks like on a PR that adds two new Python packages:

## Nerq Dependency Trust Report

| Package         | Score | Grade | Recommendation | Flags              |
|-----------------|-------|-------|-----------------|--------------------|
| langchain       |  82   |  A    | PROCEED         |                    |
| sketchy-agent   |  31   |  D    | DENY            | No license, 2 CVEs |

Summary: 1 of 2 packages flagged. Review sketchy-agent before merging.

Safer alternatives for sketchy-agent:
  → crewai (Score: 78, Grade: B+)
  → autogen (Score: 75, Grade: B+)

The report includes:

Trust score (0-100) and letter grade (A+ to F)
Recommendation: PROCEED, CAUTION, or DENY
Flags: missing license, known CVEs, abandoned maintenance, excessive permissions
Alternatives: higher-scored packages in the same category

Setup

Install the GitHub App from nerq.ai/github-app:

Click "Install" and select the repositories you want to monitor
The app requests read access to pull requests and code (to parse dependency files) and write access to PR comments
That is it — no configuration file needed. The next PR that touches a dependency file gets a trust report.

You can customize behavior with a .nerq.yml file in your repo root:

# .nerq.yml
threshold: 50          # Flag packages below this score
deny_below: 30         # Block merging below this score (requires branch protection)
ignore:
  - internal-package   # Skip specific packages
report_on:
  - added              # Only report on new packages (not updates)

Under the Hood

The app uses the Nerq batch preflight endpoint:

POST https://nerq.ai/v1/preflight/batch
Content-Type: application/json

{
  "targets": ["langchain", "sketchy-agent"],
  "caller": "github-app"
}

Each target returns a trust score, grade, recommendation, and enrichment data including known CVEs, license info, and cheaper or safer alternatives. The batch endpoint handles up to 50 packages per request, which covers most PRs.

Why Not Just Use Dependabot?

Dependabot alerts you to known CVEs in existing dependencies. It does not evaluate new packages being added. It does not tell you if a package is abandoned, unlicensed, or poorly maintained. The Nerq GitHub App complements Dependabot — it covers the gap between "no known CVE" and "actually trustworthy."

Get Started

Install the app at nerq.ai/github-app or try the API directly:

curl "https://nerq.ai/v1/preflight?target=langchain"

No API key required. Free for public repositories.

Nerq indexes 5M+ AI assets with trust scores. Available as a browser extension, VS Code extension, GitHub App, MCP Server, and API. nerq.ai

I Built a Browser Extension That Shows Trust Scores on npm, PyPI, and GitHub

Anders — Mon, 16 Mar 2026 12:28:16 +0000

I keep catching myself installing packages I know nothing about. Last month I added an LLM wrapper from npm that had 200 stars and no license file. Turns out it was abandoned, had three unpatched CVEs, and was pulling in a dependency with a known supply chain compromise. I only found out because a colleague happened to mention it.

The AI tooling ecosystem is growing faster than anyone can audit. There are 5 million+ AI assets out there — agents, MCP servers, LangChain tools, Hugging Face models — and most developers evaluate them by star count and README quality. That is not a security strategy.

So I built a browser extension that surfaces trust scores inline, right where you make decisions.

How It Works

The Nerq browser extension detects when you are viewing a package on npm, PyPI, or a GitHub repository. It sends only the package name to the nerq.ai API, retrieves its trust score, and renders a small badge overlay on the page. No browsing data, no telemetry, no tracking — just a name lookup.

The trust score is a 0-100 composite calculated from:

Maintenance signals: commit recency, release cadence, issue response time
Security posture: known CVEs, dependency audit results, license type
Community health: contributor count, fork-to-star ratio, documentation quality
Compliance metadata: EU AI Act risk classification, GDPR data handling declarations

Each package gets a letter grade (A+ through F) and a recommendation: PROCEED, CAUTION, or DENY.

What You See

When you visit a page like npmjs.com/package/some-agent-tool, a small badge appears showing:

Trust score (e.g., 74/100)
Grade (e.g., B+)
Color-coded: green for PROCEED, amber for CAUTION, red for DENY

Click the badge to expand a detail panel with the full breakdown: maintenance score, security flags, license info, and links to safer alternatives if the score is low.

On GitHub, the extension also checks the repo's associated packages. If a repo publishes to npm and PyPI, you get scores for both.

Installation

The extension is available as a Chrome/Edge extension (Manifest V3). Install it from the Chrome Web Store or load it unpacked for development:

Clone the repo or download the latest release
Go to chrome://extensions, enable Developer mode
Click "Load unpacked" and select the extension directory
Navigate to any npm, PyPI, or GitHub page — the badge appears automatically

Privacy

The extension sends only the package name to nerq.ai/v1/preflight. No cookies, no page content, no user identifiers. The full privacy policy is embedded in the extension manifest and available at nerq.ai/privacy.

Why This Matters

Supply chain attacks are not theoretical. The 2024 xz backdoor, the ua-parser-js hijack, the event-stream incident — these all targeted packages that developers trusted implicitly. Trust should not be implicit. It should be measurable.

I wanted the friction to be zero. You do not need to change your workflow. You do not need to run a CLI tool or check a dashboard. The score is just there, on the page, when you are making the decision.

What's Next

I am working on deeper integration: hover tooltips for dependencies listed in package.json and requirements.txt files on GitHub, and a sidebar panel that shows the trust profile of every dependency in a repo's lockfile.

If you want to try it, head to nerq.ai or install the extension directly. The trust score API is free and open — no auth required.

Nerq indexes 5M+ AI assets with trust scores. Available as a browser extension, VS Code extension, GitHub App, MCP Server, and API. nerq.ai

Nerq's AI Agent Ecosystem Weekly Report for the Week Ending 2026-03-16

Anders — Mon, 16 Mar 2026 05:00:18 +0000

Nerq's AI Agent Ecosystem Weekly Report for the Week Ending 2026-03-16

One-Paragraph Summary

This week, Nerq indexed an additional 65,797 new agents and tools, bringing the total to 209,894. The ecosystem continues to grow with a focus on devops and infrastructure categories, as well as contributions from GitHub repositories. Notable additions include "gsd-build/gsd-2," which has garnered significant attention due to its high trust score and extensive community support.

This Week in Numbers

Total indexed agents, tools & MCP servers: 209,894
Models & datasets indexed: 3,233,508
Total AI assets: 4,501,094
New agents and tools added this week: 65,797

Agent of the Week

Name: gsd-build/gsd-2

Source: GitHub

Category: Devops

Trust Score: 86.4

Stars: 1,243

gsd-2 is a powerful meta-prompting, context engineering, and spec-driven development system for autonomous agents. This tool has seen significant traction with a high trust score and active community engagement.

Framework Trends

The framework trends remain stable this week:

Anthropic: 7,550 total assets (no new additions)
OpenAI: 6,366 total assets (no new additions)
Langchain: 2,690 total assets (no new additions)
MCP: 2,069 total assets (no new additions)
Ollama: 1,909 total assets (no new additions)

MCP Server Growth

This week saw the addition of 5,946 new MCP servers:

Top New MCP Servers:
- wanshuiyin/Auto-claude-code-research-in-sleep: ARIS \u2694\ufe0f (Auto-Research-In-Sleep) for autonomous ML research.
- knowsuchagency/mcp2cli: A CLI tool that turns any MCP, OpenAPI, or GraphQL server into a runtime CLI.

Trust & Compliance

The trust score distribution remains consistent:

High: 9,811 assets
Medium: 143,611 assets
Low: 56,472 assets
Average: 50.9

Outlook

The ecosystem continues to diversify with a focus on devops and infrastructure tools, while maintaining strong contributions from GitHub repositories. The high trust scores among new additions indicate growing confidence in the quality of these tools within the community.

Originally published on nerq.ai

We Scanned 4.5 Million AI Assets — The Results Are a Wake-Up Call

Anders — Sun, 15 Mar 2026 12:12:19 +0000

Over the past year we've been crawling, indexing, and scoring AI assets across every major registry: GitHub, HuggingFace, PyPI, npm, Docker Hub, and more. The index now covers 4,518,802 active assets — agents, tools, MCP servers, models, and datasets.

We computed a Trust Score for each one. Then we looked at the distribution.

It's not what you'd hope for.

The Grade Distribution

Every asset in the index gets a letter grade based on its aggregate Trust Score. Here's where 4.5 million assets land:

Grade	Count	% of total
A+	32	<0.01%
A	971	0.02%
B	8,891	0.20%
C	38,651	0.86%
D	4,378,026	96.9%
E	92,024	2.04%
F	164	<0.01%

96.9% of active AI assets in the ecosystem grade D.

That's not a sign that the scoring is too strict. The Trust Score is designed to reflect the actual signals developers use to evaluate software quality: maintenance activity, documentation, license clarity, security hygiene, community engagement. A grade-D asset has weak or absent signals across most of those dimensions.

The ecosystem is young. A large fraction of what's been published is experimental, abandoned, or thinly documented. That's not surprising. What's surprising is how concentrated the top of the distribution is: 1,003 assets at A or A+ out of 4.5 million.

What the Score Measures

The Trust Score is a composite of five dimensions, each scored 0–100:

Quality score — Code structure, presence of tests, release discipline, dependency management. The average quality score across all GitHub assets in the index is 0.31 out of 100 on the raw scale. That's not a rounding error.

Documentation score — README completeness, presence of examples, API reference, installation instructions. Average: 0.35. In practice, 100% of GitHub repos in the index have documentation scores below 10. Many have a README that's three lines long.

Activity score — Commit frequency over the trailing 12 months, issue response time, contributor count. Average: 0.68. Slightly better, but still very low in absolute terms.

Security score — Dependency audit status, presence of a SECURITY.md, CVE history, code scanning integration. Average: 0.01. Nearly zero. The security signal is effectively absent across the index.

Popularity score — Stars, forks, downloads, downstream dependents. This is where the distribution is most unequal: a handful of repos have tens of thousands of stars; the median is in the low single digits.

The License Problem

99% of all active assets in the index have no license declaration. Among higher-scored assets (trust score above 40), it's still 91% without a clear license.

This is partly a GitHub culture artifact — many developers don't add a LICENSE file because the tool is "just for personal use" or "not production-ready yet." But it becomes a problem when those tools end up in enterprise AI stacks through transitive dependencies. No license means no clear terms of use, no warranty disclaimer, no guidance on commercial use.

It also drags the trust score down. A missing license is a documentation gap and a legal ambiguity. Both are signals the scorer penalizes.

Project-Level Scans: A Better Picture

The index-level data is bleak because it includes everything — early experiments, one-off scripts, abandoned repos. The project scan data is more optimistic because it covers repos people are actually using and updating.

We've scanned 627 real AI projects via the /v1/scan-project endpoint. The grade distribution there:

Grade	Count	%
A	91	14.5%
B	305	48.6%
C	198	31.6%
D	29	4.6%
F	4	0.6%

Average trust score across dependencies in those projects: 60.5 / 100. That's a B–/C+ range, which is not great but is meaningfully better than the index average.

Across 19,276 dependency relationships in those 627 scans:

13,790 deps (71.5%) have no license declaration
3,020 deps were flagged as low-trust (below the warning threshold)

The license number holds even at the project level. Active, maintained, real-world AI projects are overwhelmingly pulling in unlicensed dependencies.

MCP Servers: A Specific Concern

The 23,745 MCP servers in the index deserve separate attention. MCP servers aren't passive libraries — they run as processes with access to whatever the user grants them: filesystems, databases, credentials, external APIs.

Their grade distribution:

Grade	Count	%
A+ / A	164	0.7%
B	1,430	6.0%
C	2,416	10.2%
D	14,414	60.7%
E	5,249	22.1%

60.7% of MCP servers grade D. These are tools that run inside your AI assistant's context, often with broad permissions, often written quickly by individual developers experimenting with the format. Most are harmless. But "harmless" and "low-trust" are not the same thing — and the difference matters when you're granting a tool access to your filesystem.

What This Actually Means

We're not publishing these numbers to discourage AI development. The ecosystem is early, and early ecosystems have messy quality distributions. That's normal.

The problem is the absence of visibility. Before this kind of index existed, there was no easy way to check the trust posture of an AI tool before integrating it. You could read the README, star count, and gut-feel your way to a decision. Now there's a 4.5-million-asset database with computed scores, updated continuously, with a free API.

Use it. Check the tools you depend on. Run a project scan before your next deploy. Look at the security score column — even if it's zero, knowing it's zero is information.

The index is at nerq.ai. Free search, free API, no account needed.

Methodology note: Trust Scores are computed from publicly available signals (GitHub API, package registry metadata, documentation analysis). They are quality and maintenance signals, not security audits. A high trust score does not guarantee safety; a low trust score does not guarantee danger. The scores reflect what the data shows, not what we wish it showed.