skill-scanner
Scan any agent skill for security risks before you install or use it. Powered by Tencent Zhuque Lab A.I.G (AI-Infra-Guard). 100% local static analysis — no file contents or credentials leave your device. Compatible with CodeBuddy, Cursor, Windsurf, Claude Code, OpenClaw and more. Triggers on: `这个 skill 安全吗`, `skill 安全扫描`, `检查 skill 安全`, `audit skill`, `scan skill`, `check skill safety`, `analyze skill`, `inspect skill`, `verify skill`, `skill security`, `skill supply chain`. Do NOT trigger for general agent usage, full system health checks, project debugging, or normal development.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/aigsec/aig-skill-scannerTencent Zhuque Skill Scanner
Agent Skills security scanner powered by Tencent Zhuque Lab A.I.G. Compatible with any agent platform that supports skills (e.g. OpenClaw, Qclaw, WorkBuddy, CodeBuddy, Cursor, Windsurf, Claude Code, etc.).
Security Declaration
Local-only analysis: this scanner performs static analysis by reading skill files only. No file contents, credentials, or personal data are sent externally.
Language Detection Rule — EXECUTE BEFORE ANYTHING ELSE
Detect the language of the user's triggering message and lock the output language for the entire run. This detection is an internal step only — do NOT output any text that reveals the detection result, such as "当前输出语言为中文", "Detected language: English", or similar meta-statements. Simply use the detected language silently for all subsequent output.
| User message language | Output language |
|---|---|
| Chinese | Chinese — entire output in Chinese |
| English | English — entire output in English |
| Other language | Match that language |
| Cannot determine | Default to Chinese |
All output — scan start prompt, table headers, labels, prose, verdict, and footer — must be written exclusively in the detected language. Do NOT mix languages or announce the language choice at any point.
Scan Start Prompt
Before starting the scan, output the following line with {skill} replaced by the actual skill name.
Translate it to match the detected output language.
🔍 腾讯朱雀实验室 A.I.G Skill Scanner 正在检测 {skill} 的安全性,请稍候...
Scan Workflow
Determine which mode to use based on the user's request:
| User intent | Mode |
|---|---|
| Scan all skills on a platform, or asks "are my skills safe?" without specifying a file | Mode A — Full-platform scan |
| Scan a specific skill file or a named skill | Mode B — Single-skill audit |
Mode A — Full-platform scan
Use this mode when the user wants to check the security of all skills on a given agent platform.
A-1. Identify the platform
Determine which agent platform the user is referring to. Common platforms include but are not limited to: OpenClaw, Cursor, Windsurf, CodeBuddy, WorkBuddy, Claude Code, qclaw, etc.
How to determine:
- If the user explicitly names a platform, use that.
- If the user says "scan my skills" or "check all skills" without naming a platform, infer the platform from the current runtime environment (e.g. if running inside CodeBuddy, the platform is CodeBuddy).
- If the platform still cannot be determined, ask the user to clarify.
A-2. Discover skills
Once the platform is identified, use the platform-specific method below to enumerate all installed skills. Do NOT output a list of all discovered skill names and paths before scanning — proceed directly to auditing each skill one by one.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-aigsec-aig-skill-scanner": {
"enabled": true,
"auto_update": true
}
}
}Related Skills
edgeone-clawscan
The first security skill to install after setting up OpenClaw — powered by Tencent Zhuque Lab. Works like an antivirus for your AI environment: audits installed skills, scans skills before installation, and performs a full OpenClaw security health check to prevent data leaks and privacy risks. Backed by Tencent Zhuque Lab A.I.G (AI-Infra-Guard). Use when the user asks to start a security health check or security scan for the current OpenClaw environment, such as `开始安全体检`, `做一次安全体检`, `开始安全扫描`, `全面安全检查`, or `检查 OpenClaw 安全`; also use when the user asks to audit a specific skill before installation, review installed skills for supply chain risk, or investigate whether a skill is safe. Do not trigger for general OpenClaw usage, project debugging, environment setup, or normal development requests. Optional cloud mode: set AIG_CLOUD_LOOKUP=off for zero outbound HTTPS; when enabled, only skill_name, source label, and OpenClaw version are sent to A.I.G (never skill bodies, chats, or workspace files).
edgeone skill scanner
Scan any agent skill for security risks before you install or use it. Powered by Tencent Zhuque Lab A.I.G (AI-Infra-Guard). 100% local static analysis — no file contents or credentials leave your device. Compatible with CodeBuddy, Cursor, Windsurf, Claude Code, OpenClaw and more. Triggers on: `这个 skill 安全吗`, `skill 安全扫描`, `检查 skill 安全`, `audit skill`, `scan skill`, `check skill safety`, `analyze skill`, `inspect skill`, `verify skill`, `skill security`, `skill supply chain`. Do NOT trigger for general agent usage, full system health checks, project debugging, or normal development.
aig-scanner
A.I.G Scanner — AI security scanning for infrastructure, AI tools / skills, AI Agents, and LLM jailbreak evaluation via Tencent Zhuque Lab AI-Infra-Guard. Uses built-in exec + Python script, no plugin required. Requires AIG_BASE_URL to be configured. Triggers on: scan AI service, AI vulnerability scan, scan AI infra, check CVE, audit AI service, scan MCP, scan skills, audit AI tools, scan agent, red-team LLM, jailbreak test, 扫描AI服务, 检查AI漏洞, 扫描AI工具, 检查MCP安全, 审计Agent, 越狱测试.