← 返回 Skills 市场
sanguineseal

Aegis Audit

作者 sanguineseal · GitHub ↗ · v0.1.10
cross-platform ⚠ suspicious
1300
总下载
0
收藏
4
当前安装
9
版本数
在 OpenClaw 中安装
/install aegis-audit
功能描述
Deep behavioral security audit for AI agent skills and MCP tools. Performs deterministic static analysis (AST + Semgrep + 15 specialized scanners), cryptographic lockfile generation, and optional LLM-powered intent analysis. Use when installing, reviewing, or approving any skill, tool, plugin, or MCP server — especially before first use. Replaces basic safety summaries with full CWE-mapped, OWASP-tagged, line-referenced security reports.
使用说明 (SKILL.md)

\r \r

Aegis Audit\r

\r Behavioral security scanner for AI agent skills and MCP tools.\r \r Aegis is a defensive security auditing tool. It detects malicious patterns in other skills so users can avoid dangerous installs. This skill does not teach or enable attacks — it helps users vet skills before trusting them.\r \r

The "SSL certificate" for AI agent skills — scan, certify, and govern before you trust.\r \r Source: github.com/Aegis-Scan/aegis-scan | Package: pypi.org/project/aegis-audit | License: AGPL-3.0\r \r ---\r \r

What Aegis does\r

\r Aegis answers the question every agent user should ask: "What can this skill actually do, and should I trust it?"\r \r

  • Deterministic static analysis — AST parsing + Semgrep + 15 specialized scanners. Same code = same report, every time.\r
  • Scope-resolved capabilities — Not just "accesses the filesystem" but exactly which files, URLs, hosts, and ports.\r
  • Risk scoring — 0-100 composite score with CWE/OWASP-mapped findings and severity tiers.\r
  • Cryptographic proof — Ed25519-signed lockfile with Merkle tree for tamper detection.\r
  • Optional LLM analysis — Bring your own key (Gemini, Claude, OpenAI, Ollama, local). Disabled by default. See the privacy notice below before enabling.\r \r ---\r \r

Install\r

\r Install from PyPI using pip or uv:\r \r

pip install aegis-audit\r
```\r
\r
```bash\r
uv tool install aegis-audit\r
```\r
\r
Both commands install the same package. Pin to a specific version when possible (e.g. `pip install aegis-audit==1.3.0`) and verify the publisher on PyPI before installing. The package source is at [github.com/Aegis-Scan/aegis-scan](https://github.com/Aegis-Scan/aegis-scan).\r
\r
After install, the `aegis` CLI is available on your PATH.\r
\r
---\r
\r
## Quick start\r
\r
Aegis runs fully offline by default. No API keys, no network access, no data leaves your machine.\r
\r
```bash\r
aegis scan --no-llm\r
```\r
\r
This scans the current directory and produces a security report. All commands default to `.` (current directory) when no path is given.\r
\r
```bash\r
aegis scan ./some-skill --no-llm\r
```\r
\r
---\r
\r
## CLI reference\r
\r
| Command | Description |\r
|---|---|\r
| `aegis scan [path]` | Full security scan with risk scoring |\r
| `aegis lock [path]` | Scan + generate signed `aegis.lock` |\r
| `aegis verify [path]` | Verify lockfile against current code |\r
| `aegis badge [path]` | Generate shields.io badge markdown |\r
| `aegis setup` | Interactive LLM configuration wizard |\r
| `aegis mcp-serve` | Start the MCP server (stdio transport) |\r
| `aegis mcp-config` | Print MCP config JSON for Cursor / Claude Desktop |\r
| `aegis version` | Show the Aegis version |\r
\r
Common flags: `--no-llm` (skip LLM, the default), `--json` (CI output), `-v` (verbose).\r
\r
---\r
\r
## Lockfiles\r
\r
Generate a signed lockfile after scanning:\r
\r
```bash\r
aegis lock\r
```\r
\r
This produces `aegis.lock` — a cryptographically signed snapshot of the skill's security state. Commit it alongside the skill so consumers can verify nothing changed.\r
\r
Verify a lockfile:\r
\r
```bash\r
aegis verify\r
```\r
\r
If any file was modified since the lockfile was created, the Merkle root will not match and verification fails.\r
\r
---\r
\r
## Optional: LLM analysis\r
\r
**Privacy notice:** LLM analysis is disabled by default. When enabled, Aegis sends scanned code to the configured third-party LLM provider (Google, OpenAI, or Anthropic). No data is transmitted unless you explicitly configure an API key and run a scan without `--no-llm`. Do not enable LLM mode on repositories containing secrets or sensitive code unless you trust the provider.\r
\r
To enable LLM analysis, run the interactive setup:\r
\r
```bash\r
aegis setup\r
```\r
\r
This saves your config to `~/.aegis/config.yaml`. Alternatively, set one of these environment variables:\r
\r
- `GEMINI_API_KEY` — Google Gemini\r
- `OPENAI_API_KEY` — OpenAI\r
- `ANTHROPIC_API_KEY` — Anthropic Claude\r
\r
These environment variables are optional. Aegis works fully offline without them. Only set a key if you want the AI second-opinion feature and accept that scanned code will be sent to the corresponding provider.\r
\r
For local LLM servers (Ollama, LM Studio, llama.cpp, vLLM), see `aegis setup` — no third-party data transmission occurs with local models.\r
\r
---\r
\r
## MCP server\r
\r
Aegis runs as an MCP server for Cursor, Claude Desktop, and any MCP-compatible client. Three tools are exposed: `scan_skill`, `verify_lockfile`, and `list_capabilities`.\r
\r
Add this to your `.cursor/mcp.json`:\r
\r
```json\r
{\r
  "mcpServers": {\r
    "aegis": {\r
      "command": "aegis",\r
      "args": ["mcp-serve"]\r
    }\r
  }\r
}\r
```\r
\r
Or generate it automatically:\r
\r
```bash\r
aegis mcp-config\r
```\r
\r
Aegis uses stdio transport — no network server needed.\r
\r
---\r
\r
## What gets scanned\r
\r
| Scanner | What it detects |\r
|---|---|\r
| AST Parser | 750+ Python function/method patterns across 15+ categories |\r
| Semgrep Rules | 80+ regex rules for Python, JavaScript, and secrets |\r
| Secret Scanner | API keys, tokens, private keys, connection strings (30+ patterns) |\r
| Shell Analyzer | Pipe-to-shell, reverse shells, inline exec |\r
| JS Analyzer | XSS, eval, prototype pollution, dynamic imports |\r
| Dockerfile Analyzer | Privilege escalation, secrets in ENV/ARG, unpinned images |\r
| Config Analyzer | Dangerous settings in YAML, JSON, TOML, INI |\r
| Social Engineering | Misleading filenames, Unicode tricks, trust manipulation |\r
| Steganography | Hidden payloads in images, homoglyph attacks |\r
| Shadow Module Detector | Stdlib-shadowing files (os.py, sys.py in the skill) |\r
| Combo Analyzer | Multi-capability attack chains (exfiltration, C2, ransomware) |\r
| Taint Analysis | Source-to-sink data flows (commands, URLs, SQL, paths) |\r
| Complexity Analyzer | Cyclomatic complexity warnings for hard-to-audit functions |\r
| Skill Meta Analyzer | SKILL.md vs actual code cross-referencing |\r
| Persona Classifier | Overall trust profile (LGTM, Permission Goblin, etc.) |\r
\r
---\r
\r
## Vibe Check personas\r
\r
Aegis assigns each scanned skill a persona based on deterministic analysis:\r
\r
- **Cracked Dev** — Clean code, smart patterns, minimal permissions.\r
- **LGTM** — Permissions match the intent, scopes are sane, nothing weird.\r
- **Trust Me Bro** — Polished on the outside, suspicious on the inside.\r
- **You Sure About That?** — Messy code, missing pieces, docs that overpromise.\r
- **Co-Dependent Lover** — Tiny logic, huge dependency tree. Supply chain risk.\r
- **Permission Goblin** — Wants everything: filesystem, network, secrets.\r
- **Spaghetti Monster** — Unreadable chaos. High complexity.\r
- **The Snake** — Code that looks clean but is not. Potentially malicious.\r
\r
---\r
\r
## JSON output for CI\r
\r
```bash\r
aegis scan --json --no-llm\r
```\r
\r
```bash\r
aegis scan --json --no-llm | jq '.deterministic.risk_score_static'\r
```\r
\r
```bash\r
aegis scan --json --no-llm | jq -e '.deterministic.risk_score_static \x3C= 50'\r
```\r
\r
The JSON report contains two payloads:\r
\r
- **Deterministic** — Merkle tree, capabilities, findings, risk score (reproducible, signed)\r
- **Ephemeral** — LLM analysis, risk adjustment (non-deterministic, not signed)\r
\r
---\r
\r
## For skill developers\r
\r
Run Aegis on your own skill before publishing:\r
\r
```bash\r
cd ./my-skill\r
aegis scan --no-llm -v\r
```\r
\r
Fix PROHIBITED findings. Document RESTRICTED ones. Ship with an `aegis.lock`:\r
\r
```bash\r
aegis lock\r
```\r
\r
See the [Skill Developer Best Practices](https://github.com/Aegis-Scan/aegis-scan/blob/main/docs/SKILL_DEVELOPER_GUIDE.md) guide.\r
\r
---\r
\r
## Architecture\r
\r
```\r
aegis scan ./skill\r
    |\r
    +-- coordinator.py       File discovery (git-aware / directory walk)\r
    +-- ast_parser.py        AST analysis + pessimistic scope extraction\r
    +-- secret_scanner.py    30+ secret patterns\r
    +-- shell_analyzer.py    Dangerous shell patterns\r
    +-- js_analyzer.py       JS/TS vulnerability patterns\r
    +-- config_analyzer.py   YAML/JSON/TOML/INI risky settings\r
    +-- combo_analyzer.py    Multi-capability attack chains\r
    +-- taint_analyzer.py    Source-to-sink data flow tracking\r
    +-- binary_detector.py   External binary classification\r
    +-- social_eng_scanner   Social engineering detection\r
    +-- stego_scanner        Steganography + homoglyphs\r
    +-- hasher.py            Lazy Merkle tree\r
    +-- signer.py            Ed25519 signing\r
    +-- rule_engine.py       Policy evaluation\r
    +-- reporter/            JSON + Rich console output\r
         |\r
         v\r
    aegis_report.json + aegis.lock\r
```\r
\r
---\r
\r
## License\r
\r
Aegis is dual-licensed:\r
\r
- **Open Source:** AGPL-3.0 — free to use, modify, and distribute. Network service deployments must release source.\r
- **Commercial:** Proprietary license available for embedding in proprietary products, running without source disclosure, SLAs, and support.\r
\r
See [LICENSING.md](https://github.com/Aegis-Scan/aegis-scan/blob/main/aegis-core/LICENSING.md) for full details.\r
\r
---\r
\r
## Contributing\r
\r
Contributions welcome. By contributing, you agree to the [Contributor License Agreement](https://github.com/Aegis-Scan/aegis-scan/blob/main/aegis-core/CLA.md).\r
\r
```bash\r
cd aegis-core\r
pip install -e ".[dev]"\r
pytest\r
```\r
\r
---\r
\r
Python 3.11+ required. No network access needed for deterministic scans. Works offline.\r
安全使用建议
This skill appears to do what it says: a defensive, deterministic scanner that runs locally by default and only sends code to third‑party LLMs if you explicitly configure an API key. Before installing: verify the PyPI/GitHub publisher and pin the package version; inspect the package contents if possible; run scans with --no-llm when scanning sensitive code; do not set API keys unless you accept sending scanned code to that provider; review ~/.aegis/config.yaml after setup; consider running initial scans in an isolated environment (CI or VM) to reduce supply‑chain risk. Also note the project is AGPL-3.0 licensed — that has legal implications if you modify and redeploy it as a network service.
功能分析
Type: OpenClaw Skill Name: aegis-audit Version: 0.1.10 The skill is a security auditing tool, which inherently requires extensive file system access (reading code, writing reports/lockfiles). The primary reason for classifying it as 'suspicious' rather than 'benign' is the 'Optional: LLM analysis' feature described in `SKILL.md`. This feature, if explicitly enabled by the user, sends scanned code to third-party LLM providers (Google, OpenAI, Anthropic). While this capability is opt-in, disabled by default, and accompanied by strong privacy warnings, it represents a significant data exfiltration risk if sensitive code is scanned with this feature enabled. This constitutes a risky capability that, while transparently disclosed and intended for a legitimate purpose, could lead to unintended data exposure if the user disregards the warnings, thus falling under the 'vulnerability' or 'risky capability' threshold.
能力评估
Purpose & Capability
Name/description (deep security audit for skills/MCP tools) match what is requested and documented: it requires an 'aegis' CLI binary and a local config path (~/.aegis/config.yaml). The declared binary and config are proportionate to an auditing tool.
Instruction Scope
SKILL.md instructs the agent to install/run the aegis CLI, scan directories, generate/verify lockfiles, and optionally run an MCP stdio server. It explicitly defaults to offline/from-disk scanning and documents that LLM analysis is opt-in and only occurs when API keys are configured. No instructions ask the agent to read unrelated system secrets or exfiltrate data by default.
Install Mechanism
Install is via pip or 'uv tool install aegis-audit' (PyPI package). This is expected for a Python CLI but carries normal supply-chain risk: you should verify the PyPI publisher, pin versions, and inspect package contents before installing. The install does create an 'aegis' binary as declared.
Credentials
No required environment variables are declared. The SKILL.md documents optional API keys (GEMINI_API_KEY, OPENAI_API_KEY, ANTHROPIC_API_KEY) for optional LLM features — these are justified for the described optional LLM analysis and are disabled by default. The only required config path (~/.aegis/config.yaml) is reasonable for storing configuration and optional keys.
Persistence & Privilege
The skill is not marked 'always: true' and does not request system-wide privileges. It can run an MCP stdio server (mcp-serve) which is normal for an MCP tool. There is no instruction to modify other skills' configurations or global agent settings beyond adding an MCP entry pointing to its own command.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install aegis-audit
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /aegis-audit 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.10
- Updated version to 0.1.10. - Updated metadata to remove deprecated fields: "primaryEnv" and "env". - No functional or behavioral changes to scanning or CLI.
v0.1.9
- Major SKILL.md rewrite for clarity and conciseness. - Added explicit privacy notice and documentation for LLM-powered analysis. - Documented required environment variables for API key configuration. - Clarified offline, no-LLM, and security-first workflow as the default. - Improved sections on CLI commands, lockfile generation/verification, and MCP server usage.
v0.1.8
Aegis-audit 0.1.8 Changelog - Updated documentation in SKILL.md: clarified install instructions and recommended version pinning. - Metadata now declares the config file location for better tool automation and compatibility. - No functional or code changes; documentation and metadata updates only.
v0.1.7
- Added CHANGELOG.md for improved change tracking. - Updated SKILL.md with explicit version (1.7.0), homepage, PyPI URL, and extended metadata for OpenClaw integration. - Clarified and expanded install metadata, now specifying binary requirements and install instructions. - No changes to core functionality or CLI documented in this release.
v0.1.6
- Major simplification: removed the entire bundled aegis-core implementation and all its related files. - SKILL.md updated to clarify that aegis-audit is a defensive security auditing tool for vetting skills; added a disclaimer about attack/defense focus. - All logic, code, configuration, scanners, and documentation from aegis-core removed (104 files). Only the skill manifest remains. - The skill no longer includes scanners or auditing capabilities in the package itself; users should install or reference aegis-core separately.
v0.1.5
Initial release of aegis-audit. - Introduced deep behavioral security audit for AI agent skills and MCP tools. - Added deterministic static analysis (AST, Semgrep, 15+ specialized scanners). - Included cryptographic lockfile generation and tamper-proof verification with Ed25519 and Merkle tree. - Provided optional LLM-powered intent analysis for enhanced security reviews. - Supplied full CLI with scanning, lockfile, verification, and badge generation commands. - Bundled extensive documentation, default policies, and persona-based reporting.
v0.1.4
- **Major structural cleanup:** The Python package and code files for aegis-core were removed; only documentation remains. - SKILL.md updated with a new security reviewer note. - All other files, including source code, documentation, and supporting materials, have been deleted from the repository. - The package no longer ships with any executable code or internal audit logic as of this version.
v0.1.3
**Major release: aegis-audit v0.1.3 brings full core implementation and detailed documentation.** - Initial release of the full `aegis-core` package, including CLI, scanners, and cryptographic features. - Added comprehensive documentation and user guides in `README.md` and `SKILL.md`. - Provided detailed licensing and contribution guidelines. - Implemented static analysis tools: AST, Semgrep rules, 15+ specialized scanners. - Introduced lockfile generation and verification for skill integrity and tamper detection. - Laid foundation for deterministic, trustable security assessments for AI skills and MCP tools.
v1.0.0
Aegis Audit 1.0.0 — Initial Release - Provides deterministic behavioral security audits for AI agent skills and MCP tools using AST parsing, Semgrep, and multiple specialized scanners. - Generates cryptographically signed lockfiles for tamper detection and integrity verification. - Detects vulnerabilities (CWE-mapped, OWASP-tagged), obfuscation, secrets, and permission scope at the file/function level. - Offers trust analysis by cross-referencing documentation with actual code behavior. - Supports full offline use, with optional LLM-powered risk and intent analysis. - Includes command-line tools (`scan_skill`, `verify_lockfile`, `list_capabilities`) and MCP server integration for direct agent workflows.
元数据
Slug aegis-audit
版本 0.1.10
许可证
累计安装 4
当前安装数 4
历史版本数 9
常见问题

Aegis Audit 是什么?

Deep behavioral security audit for AI agent skills and MCP tools. Performs deterministic static analysis (AST + Semgrep + 15 specialized scanners), cryptographic lockfile generation, and optional LLM-powered intent analysis. Use when installing, reviewing, or approving any skill, tool, plugin, or MCP server — especially before first use. Replaces basic safety summaries with full CWE-mapped, OWASP-tagged, line-referenced security reports. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1300 次。

如何安装 Aegis Audit?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install aegis-audit」即可一键安装,无需额外配置。

Aegis Audit 是免费的吗?

是的,Aegis Audit 完全免费(开源免费),可自由下载、安装和使用。

Aegis Audit 支持哪些平台?

Aegis Audit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Aegis Audit?

由 sanguineseal(@sanguineseal)开发并维护,当前版本 v0.1.10。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论