ar
mcp
Warn
Health Warn
- License — License: Apache-2.0
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 5 GitHub stars
Code Pass
- Code scan — Scanned 12 files during light audit, no dangerous patterns found
Permissions Pass
- Permissions — No dangerous permissions requested
Purpose
This tool provides a protocol and SDKs for generating cryptographically signed, tamper-evident audit trails for actions performed by AI agents. It is designed to help developers securely track and verify agent interactions.
Security Assessment
The overall risk is Low. The automated code scan reviewed 12 files and found no dangerous patterns, hardcoded secrets, or requests for excessive permissions. As an audit and proxy tool, it handles action data and uses cryptography, but it does not appear to execute arbitrary or hidden shell commands. The tool requires standard network capabilities to function as a proxy and interact with external APIs, but it does not access inherently sensitive local data like private keys beyond what is explicitly passed by the user for signing.
Quality Assessment
The project is actively maintained, with its last code push occurring today. It uses the permissive Apache-2.0 license, includes clear documentation, and runs continuous integration tests across Go, TypeScript, and Python. However, community adoption is currently very low, with only 5 GitHub stars. Because of this low visibility, the tool has not been widely battle-tested or vetted by a large audience.
Verdict
Use with caution. While the code is clean, safe, and actively maintained, its extremely low community visibility means it should be evaluated carefully before relying on it in production environments.
This tool provides a protocol and SDKs for generating cryptographically signed, tamper-evident audit trails for actions performed by AI agents. It is designed to help developers securely track and verify agent interactions.
Security Assessment
The overall risk is Low. The automated code scan reviewed 12 files and found no dangerous patterns, hardcoded secrets, or requests for excessive permissions. As an audit and proxy tool, it handles action data and uses cryptography, but it does not appear to execute arbitrary or hidden shell commands. The tool requires standard network capabilities to function as a proxy and interact with external APIs, but it does not access inherently sensitive local data like private keys beyond what is explicitly passed by the user for signing.
Quality Assessment
The project is actively maintained, with its last code push occurring today. It uses the permissive Apache-2.0 license, includes clear documentation, and runs continuous integration tests across Go, TypeScript, and Python. However, community adoption is currently very low, with only 5 GitHub stars. Because of this low visibility, the tool has not been widely battle-tested or vetted by a large audience.
Verdict
Use with caution. While the code is clean, safe, and actively maintained, its extremely low community visibility means it should be evaluated carefully before relying on it in production environments.
Agent Receipts — cryptographically signed audit trails for AI agent actions. Protocol spec, SDKs (Go, TypeScript, Python), and MCP proxy.
README.md
Agent Receipts
Cryptographically signed audit trails for AI agent actions
| Project site & docs | agentreceipts.ai |
| API reference | Go · TypeScript · Python |
| Blog | Your AI Agent Just Sent an Email |
| Go | sdk/go · mcp-proxy · dashboard |
| npm | @agnt-rcpt/sdk-ts |
| PyPI | agent-receipts |
What is this?
Agent Receipts is an open protocol and set of SDKs for producing cryptographically signed, tamper-evident records of AI agent actions. Every action an agent takes -- API calls, tool use, data access -- gets a verifiable receipt that can be audited later.
Project layout
| Project | Description |
|---|---|
docs/adr/ |
Architecture Decision Records |
spec/ |
Protocol specification, JSON schemas, governance |
sdk/go/ |
Go SDK |
sdk/ts/ |
TypeScript SDK |
sdk/py/ |
Python SDK |
mcp-proxy/ |
MCP proxy with receipt signing, policy engine, intent tracking |
cross-sdk-tests/ |
Cross-language verification tests |
| dashboard | Local web UI for browsing and verifying receipt databases |
| openclaw | Agent Receipts plugin for OpenClaw |
Quick start
Go
go get github.com/agent-receipts/ar/sdk/go
import receipt "github.com/agent-receipts/ar/sdk/go/receipt"
r, _ := receipt.New(receipt.WithAction("tool_call", payload))
signed, _ := r.Sign(privateKey)
TypeScript
npm install @agnt-rcpt/sdk-ts
import { Receipt } from "@agnt-rcpt/sdk-ts";
const receipt = await Receipt.create({ action: "tool_call", payload });
const signed = await receipt.sign(privateKey);
Python
pip install agent-receipts
from agent_receipts import Receipt
receipt = Receipt.create(action="tool_call", payload=payload)
signed = receipt.sign(private_key)
Contributing
See CONTRIBUTING.md for development setup and PR guidelines.
Security
See SECURITY.md to report vulnerabilities.
License
Apache License 2.0 -- see LICENSE.
The protocol specification in spec/ is licensed under MIT.
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found