Scan Your Stack: Verify, Now for Every Dependency at Once
Verify does one thing well: you paste a single repo, package, or MCP server URL, and you get back an evidence-weighted, signed trust verdict — grade, score, and the reasons behind it. It answers the question "should I trust this one thing before I connect to it?"
But nobody ships one dependency. A real agent stack is a requirements.txt with a dozen frameworks, a package.json full of SDKs, an MCP client config wiring up half a dozen servers. Verifying them one at a time — copy, paste, read, repeat — doesn't scale to the thing you actually have in front of you.
So we took the engine behind Verify and pointed it at the whole list. Scan is Verify for your entire stack, in a single pass.
Paste your manifest, get a verdict for everything
Drop in a requirements.txt, a package.json, an MCP server config, or just a plain list of names. Scan pulls out every identifier it recognizes — agent names, owner/repo, npm and PyPI packages, GitHub URLs — resolves each against the curated registry, and returns a verdict per item:
| Dependency | Verdict | Grade | HVTrust |
|---|---|---|---|
| langgraph | Trusted | A | 92.9 |
| crewai | Trusted | A | 81.1 |
| autogen | Trusted | B | 77.4 |
| llama-index | Not trusted yet | D | 46.1 |
| not-an-agent-pkg | Not tracked | — | — |
Results sort risk-first — anything untracked or not-yet-trusted floats to the top, so the things worth a second look are the first things you see. And the three verdicts mean exactly what they say. Trusted: meets the default policy. Not trusted yet: tracked, but the evidence isn't there. Not tracked: we have no independent signal on it — not a verdict of harm, just the absence of a reason to trust.
One number for your whole stack
Every scan leads with the metric you actually want: the average HVTrust across the tracked projects in your stack. It's the fastest read on your overall posture — a stack averaging 80+ is in good shape; a stack dragged down to the 50s is telling you where to look.
How it relates to Verify
Think of it as breadth versus depth. Scan is the wide pass — registry-only, so it's fast, free, and nothing you paste is stored. It's the right tool for triaging a whole dependency list before you install or wire anything up.
Verify is the deep dive on a single project: it returns a signed, verifiable attestation, and for an untracked GitHub repo it can fall through to an instant provisional verdict via open lookup. When a scan surfaces something you want to dig into, the project name links straight to its full profile, and a single check belongs on Verify.
Use it from your browser or your pipeline
The fastest path is the browser front door — paste, scan, done:
- Browser: hvtracker.net/scan — paste a manifest or list
- Single project: hvtracker.net/verify — deep verdict, signed
- HTTP API:
POST /api/v1/scanwith{"input": "<your manifest>"}
The API returns the same per-item results plus the stack summary, so you can drop it into CI and fail a build when your average HVTrust slips or an untracked server sneaks in:
curl -s https://hvtracker.net/api/v1/scan \
-H 'Content-Type: application/json' \
-d '{"input": "langgraph\ncrewai\nllama-index"}'Scan your stack
Paste your requirements.txt, package.json, or MCP config and get a trust verdict for every dependency in one pass.
Verify was the magnifying glass for one project. Scan is the same lens, held over everything you depend on — because trust is a property of the whole stack, not just the one package you happened to look up.