What Is ANP? The Open Standard for Portable Agent Tools

There is no shortage of ways to package software. Python has pip and PyPI. JavaScript has npm. Containers have Docker. But when it comes to packaging AI agent tools — capabilities that need typed schemas, declared permissions, framework adapters, and trust verification — none of these formats work. They were designed for a different era, solving a different problem.

ANP (AgentNode Package) is the open standard built specifically for portable AI agent tools. It is what makes a web scraping skill written for LangChain work seamlessly in CrewAI, AutoGPT, a Model Context Protocol server, or plain Python — without the author rewriting a single line of code.

This article is a deep technical dive into what ANP is, why it exists, how its manifest structure works, and why it is positioned to become the universal packaging format for the AI agent ecosystem.

The Problem: Why Existing Formats Fail for Agent Tools

To understand why ANP is necessary, you need to understand what makes agent tools fundamentally different from regular software packages.

Pip and PyPI: No Schema, No Trust

PyPI is the world's largest Python package registry, hosting over 500,000 packages. But it was designed for libraries and applications, not agent tools. A pip package has no way to declare:

What inputs it expects — there is no typed input schema in a pip package manifest
What outputs it produces — return types are documented (maybe) but not machine-readable
What permissions it requires — a pip package can access the network, filesystem, and execute arbitrary code with no restrictions and no declarations
What it does — beyond a text description, there is no structured capability declaration

For a human developer, these gaps are manageable. You read the docs, check the source code, and decide if you trust it. For an AI agent that needs to programmatically discover, evaluate, and invoke tools at runtime, these gaps are fatal.

npm: Wrong Ecosystem, Same Gaps

npm solved packaging for JavaScript the way PyPI solved it for Python. But it shares the same fundamental limitations: no capability declarations, no permission model, no cross-framework compatibility layer. An npm package is a JavaScript module, not a tool an AI agent can understand and invoke through a standard interface.

Docker: Too Heavy, Too Opaque

Docker solves isolation and portability for applications, but it is wildly over-engineered for individual agent tools. Running each tool in its own container adds hundreds of milliseconds of cold-start latency, consumes significant memory, and makes tool composition (chaining multiple tools) impractical. More importantly, a Docker image is opaque — an agent cannot introspect what tools are inside, what schemas they expect, or what permissions they need without running the container.

MCP: Protocol, Not Package

The Model Context Protocol (MCP) deserves special attention because it is often confused with ANP. MCP is a communication protocol — it defines how a client (like Claude or Cursor) talks to a tool server over JSON-RPC. It specifies the wire format for discovering tools, calling tools, and receiving results.

What MCP does not do is define how tools are packaged, distributed, verified, or made portable across frameworks. An MCP server is a running process, not a distributable package. You cannot "install" an MCP server from a registry the way you install a pip package. ANP fills exactly this gap: it is the package format that can contain tools which are then served via MCP, used in LangChain, or invoked in any other framework.

What ANP Actually Is

ANP (AgentNode Package) is a manifest-driven package format for AI agent tools. An ANP package is a directory containing:

manifest.json — the structured descriptor that declares everything an agent needs to know about the package
Implementation files — the actual Python modules containing tool logic
Optional tests — publisher-provided test files that validate tool behavior
Optional assets — configuration files, templates, or data files the tools require

The manifest is the heart of ANP. It is what makes agent tools machine-readable, discoverable, and trustworthy. For full details on every field, see the ANP manifest reference guide.

The ANP Manifest Structure

Here is the complete structure of an ANP manifest.json, annotated with what each section does:

{
  "manifest_version": "0.2",
  "name": "web-scraper",
  "version": "1.2.0",
  "summary": "Extract structured content from web pages",
  "description": "A comprehensive web scraping tool that handles static and dynamic pages, respects robots.txt, and returns clean structured content.",
  "author": {
    "name": "Jane Developer",
    "email": "jane@example.com",
    "url": "https://github.com/janedev"
  },
  "license": "MIT",
  "repository": "https://github.com/janedev/web-scraper-anp",
  "capabilities": [
    {
      "name": "scrape_page",
      "capability_type": "tool",
      "description": "Scrape a web page and return structured content",
      "entrypoint": "tools.scraper:scrape_page",
      "input_schema": {
        "type": "object",
        "properties": {
          "url": {"type": "string", "format": "uri"},
          "format": {"type": "string", "enum": ["text", "markdown", "html"]},
          "include_metadata": {"type": "boolean", "default": false}
        },
        "required": ["url"]
      },
      "output_schema": {
        "type": "object",
        "properties": {
          "content": {"type": "string"},
          "title": {"type": "string"},
          "word_count": {"type": "integer"}
        }
      }
    }
  ],
  "permissions": {
    "network": "external",
    "filesystem": "none",
    "code_execution": "none",
    "environment_variables": []
  },
  "dependencies": {
    "python": ">=3.9",
    "packages": [
      "httpx>=0.24.0",
      "beautifulsoup4>=4.12.0",
      "lxml>=4.9.0"
    ]
  },
  "compatibility": {
    "frameworks": ["langchain", "crewai", "autogpt", "mcp", "vanilla"],
    "python": ">=3.9"
  },
  "tags": ["web-scraping", "content-extraction", "html-parsing"]
}

Capability Declarations

The capabilities array is what makes ANP fundamentally different from pip or npm. Each capability entry declares:

What the tool does — a human-readable description that agents can also use for tool selection
How to call it — an entrypoint string that resolves to a specific function
What it expects — a JSON Schema describing the input
What it returns — a JSON Schema describing the output

This level of declaration means an AI agent can programmatically read a manifest, understand whether a tool fits its needs, construct valid input, and parse the output — all without human intervention or documentation reading.

The Permission Model

ANP's permission model is inspired by mobile app permissions, adapted for the agent tool context. Every package must declare:

network — none, localhost, or external. Does this tool make HTTP requests?
filesystem — none, read, write, or full. Does this tool access the filesystem?
code_execution — none or sandboxed. Does this tool execute dynamic code?
environment_variables — an explicit list of env vars the tool reads (e.g., API keys)

Permissions are declarations, not enforcements (enforcement happens at the runtime/sandbox level). But they serve two critical purposes: they let agents make informed trust decisions, and they let the verification pipeline know what to expect during testing. A tool that declares "network": "none" but makes HTTP requests during smoke testing will be flagged and downgraded.

Cross-Framework Compatibility

The compatibility.frameworks field declares which agent frameworks the package supports. The AgentNode SDK uses this field to generate the appropriate adapter when loading a tool:

from agentnode_sdk import load_tool

# Load as a vanilla callable
tool = load_tool("web-scraper")
result = tool.run({"url": "https://example.com"})

# Load as a LangChain tool
from agentnode.adapters import as_langchain_tool
lc_tool = as_langchain_tool("web-scraper")
# lc_tool is now a LangChain BaseTool instance

# Load as an MCP tool definition
from agentnode.adapters import as_mcp_tool
mcp_def = as_mcp_tool("web-scraper")
# mcp_def is a valid MCP tool schema

The magic here is that the tool author writes their implementation once. The ANP manifest provides enough metadata (input schema, output schema, entrypoint) for the SDK to generate framework-specific wrappers automatically. The tool does not need framework-specific code — the adapter layer handles the translation.

ANP vs. MCP: Complementary, Not Competing

The most common question about ANP is how it relates to the Model Context Protocol (MCP). The answer is simple: they operate at different layers of the stack.

Aspect	ANP	MCP
Type	Package format	Communication protocol
Purpose	Package, distribute, verify tools	Call tools at runtime via JSON-RPC
Scope	Registry to installation	Client to server communication
Distribution	Installable from registry	Must be running as a server
Verification	Built-in trust scores	No built-in verification
Framework support	All major frameworks	MCP-compatible clients only

ANP and MCP are complementary. An ANP package can contain tools that are served via an MCP server. You install the package using ANP, and then expose it over MCP. Or you use it directly with LangChain. Or CrewAI. The packaging is independent of the runtime protocol.

For a broader comparison of why agent tools need their own registry format, see the tutorial on ANP overview and capabilities.

Why ANP Uses JSON Schema

A deliberate design decision in ANP is the use of JSON Schema for input and output declarations. This choice was not arbitrary:

Machine-readable — JSON Schema is a well-established standard with parsers in every language
LLM-native — every major LLM already understands JSON Schema for function calling (OpenAI, Anthropic, Google all use it)
Validatable — input can be validated against the schema before calling the tool, preventing errors at invocation time
Generatable — the verification pipeline can auto-generate test inputs from the schema for smoke testing

This means that when an AI agent reads an ANP manifest, the capability schemas are in the exact same format the agent already uses for function calling. There is zero translation overhead between "understanding what a tool expects" and "generating a valid call to that tool."

The Verification Pipeline

ANP packages are not just stored — they are verified. When a package is published to AgentNode, the manifest declarations become testable assertions:

Dependency installation — the packages listed in dependencies.packages are installed in a clean sandbox
Entrypoint validation — every entrypoint in the capabilities array is imported and checked to be callable
Schema smoke testing — test inputs are generated from input_schema and the tool is called; output is validated against output_schema
Permission auditing — sandbox telemetry checks whether the tool's runtime behavior matches its declared permissions
Publisher tests — if test files are included, they are executed and graded

The result is a trust score from 0 to 100 that maps to a tier: Gold (90+), Verified (70-89), Partial (50-69), or Unverified (<50). This score is per-version — each new release is re-verified independently.

For a complete walkthrough of how scoring works, see the guide on understanding verification trust scores.

Publishing an ANP Package

Creating and publishing an ANP package involves three steps:

Step 1: Create the Manifest

Write a manifest.json following the schema above. The AgentNode CLI can scaffold one for you:

agentnode init my-tool
# Creates a directory with manifest.json template and example code

Step 2: Implement Your Tools

Write the Python functions referenced in your manifest's entrypoints. Each function should accept a dictionary matching the input schema and return a dictionary matching the output schema.

Step 3: Publish

agentnode publish ./my-tool

The CLI validates the manifest locally, packages the directory, uploads it to AgentNode, and triggers the verification pipeline. Within minutes, your package has a trust score and is discoverable by every agent developer in the ecosystem.

You can publish directly from the AgentNode publish page as well, which provides a guided interface for first-time publishers.

The Future of ANP

ANP 0.2 is the current stable version, but the roadmap includes several significant additions:

Multi-language support — ANP 0.3 will support JavaScript and TypeScript tool implementations alongside Python
Capability composition — declaring that a tool depends on other ANP capabilities, enabling automatic resolution chains
Streaming outputs — support for tools that produce incremental results (e.g., a web scraper that yields pages as they are processed)
Permission enforcement — moving from declaration-only to runtime enforcement via the AgentNode SDK sandbox
Versioned compatibility — framework-specific version constraints (e.g., "compatible with LangChain 0.2+")

The goal is for ANP to evolve into the definitive standard for packaging, distributing, and verifying any capability an AI agent might need — regardless of language, framework, or deployment environment.

Getting Started with ANP

If you are an agent developer, you are already using ANP every time you install a package from AgentNode — the SDK handles the format transparently. If you are a tool author, the best place to start is the AgentNode documentation, which walks through creating your first ANP package step by step.

The agent tool ecosystem is still early. Standards are being established now, and they will shape how millions of developers build and share AI capabilities for years to come. ANP is AgentNode's bet on what that standard should look like: open, typed, verifiable, and portable.

Frequently Asked Questions

What does ANP stand for?

ANP stands for AgentNode Package. It is the open manifest-driven format for packaging, distributing, and verifying AI agent tools. ANP defines how tool capabilities, input/output schemas, permissions, and framework compatibility are declared in a machine-readable manifest.

How is ANP different from MCP?

ANP is a package format for distributing and verifying agent tools. MCP (Model Context Protocol) is a communication protocol for calling tools at runtime. ANP handles packaging, registry distribution, and trust verification. MCP handles the client-server communication when a tool is actually invoked. They are complementary — an ANP package can contain tools that are served via MCP.

Is ANP open source?

The ANP specification is open and publicly documented. Tool authors can implement ANP-compliant packages without any proprietary dependencies. The AgentNode registry is the primary distribution channel for ANP packages, and the SDK that reads and loads ANP packages is available as an open-source Python library.

Can I convert existing tools to ANP?

Yes. AgentNode provides an import tool that converts existing LangChain tools, MCP servers, OpenAI functions, and CrewAI tools into ANP packages. You paste your existing code, and the importer generates a manifest.json with typed schemas inferred from your code. You can also write the manifest manually — it is a straightforward JSON file.

LLM Runtime: Let the Model Handle It

If your agent uses OpenAI or Anthropic tool calling, AgentNodeRuntime handles tool registration, system prompt injection, and the tool loop automatically. The LLM discovers, installs, and runs AgentNode capabilities on its own — no hardcoded tool calls needed.

from openai import OpenAI
from agentnode_sdk import AgentNodeRuntime

runtime = AgentNodeRuntime()

result = runtime.run(
    provider="openai",
    client=OpenAI(),
    model="gpt-4o",
    messages=[{"role": "user", "content": "your task here"}],
)
print(result.content)

The Runtime registers 5 meta-tools (agentnode_capabilities, agentnode_search, agentnode_install, agentnode_run, agentnode_acquire) that let the LLM search the registry, install packages, and execute tools autonomously. Works with Anthropic too — just change provider="anthropic" and pass an Anthropic client.

See the LLM Runtime documentation for the full API reference, trust levels, and manual tool calling.