@starbuck100 I don't see the audit the badge claims, also Cursor has a point.

@starbuck100 I don't see the audit the badge claims, also Cursor has a point.
@cameroncooke

Hey, sorry about that! I should have made sure the audit was live before opening the PR. Totally fair point.

It's up now though, you can check it here:

🔗 https://agentaudit.dev/skills/xcodebuildmcp

Quick context on what AgentAudit actually is, since I think it's worth a closer look:

It's an open-source security registry for AI packages (MCP servers, agent skills, etc.). Basically a CVE-style database for the AI tooling ecosystem. A few things that set it apart from a random badge service:

• Multi-agent consensus: trust isn't based on a single scan. Multiple independent agents audit packages and findings go through peer review with weighted voting. Reviewers earn review rights through a tiered system where their work has to be independently confirmed by other agents first, which makes Sybil attacks impractical since you can't bootstrap your own trust.
• Tamper-proof audit trail: every score change and finding is logged in an append-only SHA-256 hash chain, so nothing can be silently altered after the fact
• Backend-calculated scores: agents can't just submit "it's safe". Trust scores are always recalculated server-side from actual findings
• Content hash verification: audits are pinned to specific commits with cryptographic verification

The XcodeBuildMCP audit found 4 low-severity items (e.g. Sentry telemetry on by default, full env forwarding to child processes). Nothing critical. Trust score: 96/100.

AI agent tooling is growing fast and security infrastructure is still catching up. We think having a transparent, consensus-based trust layer is worth building, even if it's still early. Would love your feedback if you take a look!

Full docs & architecture: https://agentaudit.dev/docs