← 返回 Skills 市场

AIclude Security Scanner

Name: AIclude Security Scanner
Author: mastergear4824

作者 AICLUDE · GitHub ↗ · v3.0.0

cross-platform ✓ 安全检测通过

906

总下载

当前安装

版本数

在 OpenClaw 中安装

/install aiclude-vulns-scan

功能描述

Search security vulnerability scan results for MCP Servers and AI Agent Skills from the AICLUDE scan database.

使用说明 (SKILL.md)

/security-scan - AICLUDE Vulnerability Scanner

Search the AICLUDE security scan database for vulnerability reports on MCP Servers and AI Agent Skills. If no report exists, the target is registered and scanned automatically.

Usage

/security-scan --name \x3Cpackage-name> [--type mcp-server|skill]

Parameters

--name: Package name to search (npm package, GitHub repo, etc.)
--type: Target type (mcp-server | skill) - auto-detected if omitted

Examples

/security-scan --name @anthropic/mcp-server-fetch
/security-scan --name my-awesome-skill --type skill

How It Works

Sends the package name to the AICLUDE scan API
If a scan report exists, returns it immediately
If not, registers the target for scanning
Waits for the scan to complete and returns the results
Results are also viewable at https://vs.aiclude.com

Only the package name and type are sent. No source code or credentials are transmitted.

Output

Risk Level (CRITICAL / HIGH / MEDIUM / LOW / INFO)
Vulnerability List with locations and descriptions
Risk Assessment and remediation recommendations

License

Apache 2.0 - AICLUDE Inc.

安全使用建议

This skill appears internally consistent and only needs a package name/type to query AICLUDE's external scan service. Before using it: (1) confirm you trust https://vs.aiclude.com and the linked GitHub repo if you will send any package names; (2) avoid scanning private or sensitive package names unless you accept that the target name will be transmitted to the external service; (3) if you need stronger assurance, review the upstream repo code (the published package) or test the skill with a public package name first; and (4) monitor outbound network activity while the skill runs if you want to verify it only sends the claimed data.

功能分析

Type: OpenClaw Skill Name: aiclude-vulns-scan Version: 3.0.0 The skill bundle is classified as benign. Its stated purpose is to provide a security vulnerability scanner for MCP Servers and AI Agent Skills via the AICLUDE scan database. Both SKILL.md and README.md explicitly state that only the package name and type are sent to the external API (vs.aiclude.com), with no source code, files, or credentials transmitted. The package-lock.json primarily lists development and build tools (e.g., tsup, vitest, esbuild, rollup), which are not indicative of malicious runtime behavior. There is no evidence of data exfiltration, malicious execution, persistence, or prompt injection attempts against the AI agent in the provided files.

能力评估

✓ Purpose & Capability

Name/description (vulnerability scanner) align with the instructions and included files: the skill conducts lookups against the AICLUDE scan database and (if needed) registers the target for server-side scanning. No unrelated credentials, binaries, or config paths are requested.

ℹ Instruction Scope

SKILL.md instructs the agent to send the package name and type to the AICLUDE scan API, wait for a server-side scan if necessary, and return results. The instructions do not ask the agent to read local files or secrets, but they do require transmitting data externally (package name and type). The claim 'only the package name and type are sent' is plausible but cannot be verified from the instruction-only content.

✓ Install Mechanism

No install spec and no executable code are included in the skill bundle (instruction-only). A package-lock.json and README appear to describe an npm package, which is expected; nothing in the files indicates a remote executable download or other risky install behavior.

✓ Credentials

No environment variables, credentials, or config paths are required. The lack of secret requests is proportionate to the described task.

✓ Persistence & Privilege

always is false (not force-included). disable-model-invocation is false (agent may invoke autonomously) which is the platform default and reasonable for a lookup skill. The skill does not request system-wide configuration changes.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install aiclude-vulns-scan
安装完成后，直接呼叫该 Skill 的名称或使用 /aiclude-vulns-scan 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v3.0.0

v3.0.0: Standalone package, API-only, dynamic signature auth (no secrets required)

v2.1.1

v2.1.1: License changed to Apache 2.0, branding fix

v2.1.0

v2.1.0: Remote lookup only, no local scan. No credentials required.

v2.0.1

v2.0.1: Added README, version sync with npm

v2.0.0

v2.0.0: Instruction-only skill for querying the AIclude scan database

v1.0.1

v1.0.0

v1.0.0: AI Agent Security Vulnerability Scanner with 7 parallel engines. Self-contained build, no external deps, full env var and network docs.

元数据

Slug aiclude-vulns-scan

版本 3.0.0

许可证 —

累计安装 2

当前安装数 2

历史版本数 7

常见问题