← Back to Skills Marketplace
906
Downloads
0
Stars
2
Active Installs
7
Versions
Install in OpenClaw
/install aiclude-vulns-scan
Description
Search security vulnerability scan results for MCP Servers and AI Agent Skills from the AICLUDE scan database.
README (SKILL.md)
/security-scan - AICLUDE Vulnerability Scanner
Search the AICLUDE security scan database for vulnerability reports on MCP Servers and AI Agent Skills. If no report exists, the target is registered and scanned automatically.
Usage
/security-scan --name \x3Cpackage-name> [--type mcp-server|skill]
Parameters
--name: Package name to search (npm package, GitHub repo, etc.)--type: Target type (mcp-server|skill) - auto-detected if omitted
Examples
/security-scan --name @anthropic/mcp-server-fetch
/security-scan --name my-awesome-skill --type skill
How It Works
- Sends the package name to the AICLUDE scan API
- If a scan report exists, returns it immediately
- If not, registers the target for scanning
- Waits for the scan to complete and returns the results
- Results are also viewable at https://vs.aiclude.com
Only the package name and type are sent. No source code or credentials are transmitted.
Output
- Risk Level (CRITICAL / HIGH / MEDIUM / LOW / INFO)
- Vulnerability List with locations and descriptions
- Risk Assessment and remediation recommendations
Links
- Web Dashboard: https://vs.aiclude.com
- npm:
@aiclude/security-skill - MCP Server:
@aiclude/security-mcp
License
Apache 2.0 - AICLUDE Inc.
Usage Guidance
This skill appears internally consistent and only needs a package name/type to query AICLUDE's external scan service. Before using it: (1) confirm you trust https://vs.aiclude.com and the linked GitHub repo if you will send any package names; (2) avoid scanning private or sensitive package names unless you accept that the target name will be transmitted to the external service; (3) if you need stronger assurance, review the upstream repo code (the published package) or test the skill with a public package name first; and (4) monitor outbound network activity while the skill runs if you want to verify it only sends the claimed data.
Capability Analysis
Type: OpenClaw Skill
Name: aiclude-vulns-scan
Version: 3.0.0
The skill bundle is classified as benign. Its stated purpose is to provide a security vulnerability scanner for MCP Servers and AI Agent Skills via the AICLUDE scan database. Both SKILL.md and README.md explicitly state that only the package name and type are sent to the external API (vs.aiclude.com), with no source code, files, or credentials transmitted. The package-lock.json primarily lists development and build tools (e.g., tsup, vitest, esbuild, rollup), which are not indicative of malicious runtime behavior. There is no evidence of data exfiltration, malicious execution, persistence, or prompt injection attempts against the AI agent in the provided files.
Capability Assessment
Purpose & Capability
Name/description (vulnerability scanner) align with the instructions and included files: the skill conducts lookups against the AICLUDE scan database and (if needed) registers the target for server-side scanning. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs the agent to send the package name and type to the AICLUDE scan API, wait for a server-side scan if necessary, and return results. The instructions do not ask the agent to read local files or secrets, but they do require transmitting data externally (package name and type). The claim 'only the package name and type are sent' is plausible but cannot be verified from the instruction-only content.
Install Mechanism
No install spec and no executable code are included in the skill bundle (instruction-only). A package-lock.json and README appear to describe an npm package, which is expected; nothing in the files indicates a remote executable download or other risky install behavior.
Credentials
No environment variables, credentials, or config paths are required. The lack of secret requests is proportionate to the described task.
Persistence & Privilege
always is false (not force-included). disable-model-invocation is false (agent may invoke autonomously) which is the platform default and reasonable for a lookup skill. The skill does not request system-wide configuration changes.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install aiclude-vulns-scan - After installation, invoke the skill by name or use
/aiclude-vulns-scan - Provide required inputs per the skill's parameter spec and get structured output
Version History
v3.0.0
v3.0.0: Standalone package, API-only, dynamic signature auth (no secrets required)
v2.1.1
v2.1.1: License changed to Apache 2.0, branding fix
v2.1.0
v2.1.0: Remote lookup only, no local scan. No credentials required.
v2.0.1
v2.0.1: Added README, version sync with npm
v2.0.0
v2.0.0: Instruction-only skill for querying the AIclude scan database
v1.0.1
v1.0.1
v1.0.0
v1.0.0: AI Agent Security Vulnerability Scanner with 7 parallel engines. Self-contained build, no external deps, full env var and network docs.
Metadata
Frequently Asked Questions
What is AIclude Security Scanner?
Search security vulnerability scan results for MCP Servers and AI Agent Skills from the AICLUDE scan database. It is an AI Agent Skill for Claude Code / OpenClaw, with 906 downloads so far.
How do I install AIclude Security Scanner?
Run "/install aiclude-vulns-scan" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is AIclude Security Scanner free?
Yes, AIclude Security Scanner is completely free (open-source). You can download, install and use it at no cost.
Which platforms does AIclude Security Scanner support?
AIclude Security Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created AIclude Security Scanner?
It is built and maintained by AICLUDE (@mastergear4824); the current version is v3.0.0.
More Skills