aiclude-vulns-scan_skill

This skill scans MCP Servers and AI Agent Skills for vulnerabilities using 7 engines, returning risk assessments and remediation guidance.
  • Python

2.5k

GitHub Stars

4

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill openclaw/skills --skill aiclude-vulns-scan

  • _meta.json656 B
  • package-lock.json62.7 KB
  • README.md2.3 KB
  • SKILL.md1.7 KB

Overview

This skill scans MCP servers and AI agent skills for security vulnerabilities using seven parallel engines. It returns a clear risk level, vulnerability locations, impact analysis, and practical remediation recommendations. It can query existing scan records or run a local offline scan without sending source code over the network.

How this skill works

For name-based lookups the skill queries the AIclude scan database and returns an existing report or registers the target for scanning; only the package name is transmitted. For local scans the tool reads files from a specified directory and executes seven engines in parallel locally, with no network activity and no environment variables required. Results include a consolidated risk rating and per-finding details with evidence and suggested fixes.

When to use it

  • Before deploying an MCP server or skill to production to check for critical vulnerabilities.
  • When auditing archived skill versions to identify regressions or supply-chain issues.
  • As part of a CI pipeline to catch prompt injection, tool poisoning, or command injection early.
  • To investigate third-party packages by name without uploading source code.
  • For offline security reviews of local codebases or air-gapped environments.

Best practices

  • Run name-based lookups first to reuse existing scan results and reduce scan time.
  • Use local scans for full static and dynamic analysis when reviewing source code directly.
  • Select a sandbox profile (strict, standard, permissive) that matches the deployment risk model.
  • Include dependency scanning (SCA) in every run to detect known CVEs and typosquatting.
  • Address CRITICAL and HIGH findings promptly and validate fixes with a follow-up scan.

Example use cases

  • Lookup the latest security report for an MCP package before upgrading a server dependency.
  • Scan an archived skill directory offline to confirm there are no prompt injection vectors.
  • Integrate into CI to fail builds on command injection or permission-abuse findings.
  • Assess a third-party tool definition for tool poisoning or malicious instructions.
  • Perform a supply-chain audit across archived skill versions to detect introduced vulnerabilities.

FAQ

No. Local scans read files from the specified directory and run all engines locally without network requests or code upload.

What kinds of issues does the scanner detect?

It detects prompt injection, tool poisoning, command injection, supply-chain CVEs and typosquatting, malware signatures and entropy anomalies, permission abuse, and related runtime behaviors.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational