AgentShield — Security Scanner
Scan any directory for security issues in AI agent skills, MCP servers, and plugins.
Usage
CODEBLOCK0
What It Detects (30 rules)
High Risk:
- -
data-exfil — reads sensitive files + sends HTTP requests - INLINECODE1� — eval(), exec(), dynamic code execution
- INLINECODE2� — outbound socket to shell
- INLINECODE3� — mining pool connections
- INLINECODE4� — hardcoded API keys/tokens
- INLINECODE5� — base64+eval, hex strings
- INLINECODE6� — 55+ patterns, 12 categories, 8 languages
- INLINECODE7� — tool name/description manipulation
- INLINECODE8� — multi-step kill chain (5 stages)
- INLINECODE9� — cross-file data flow and code injection
- INLINECODE10� — Python AST taint tracking (eval, pickle, SQL injection, SSTI)
- INLINECODE11� — 8-language prompt injection
- INLINECODE12� — semantic mismatch between description and code
- INLINECODE13� — MCP server runtime security issues
Medium Risk:
- -
env-leak — process.env exfiltration - INLINECODE15� — user-controlled URLs, SSRF
- INLINECODE16� — SKILL.md permission vs code mismatch
- INLINECODE17� — known CVEs in dependencies
- INLINECODE18� — SSH keys, AWS creds access
- INLINECODE19� — periodic beacon/heartbeat pattern
- INLINECODE20� — 35 Python-specific patterns
Low Risk:
- -
excessive-perms — too many permissions declared - INLINECODE22� — .env with secrets committed
- INLINECODE23� — suspicious npm package names
Interpreting Results
- - Score 90-100: Low risk ✅
- Score 70-89: Moderate risk — review warnings
- Score 40-69: High risk — investigate before using
- Score 0-39: Critical risk — do not install
When to Use
- 1. Before installing a third-party skill: �INLINECODE24
- Auditing your own skills before publishing
- CI/CD pipeline gate: �INLINECODE25
- Reviewing skills from untrusted sources
AgentShield — 安全扫描器
扫描任意目录中AI智能体技能、MCP服务器和插件的安全问题。
使用方法
bash
基础扫描
npx @elliotllliu/agent-shield scan ./path/to/skill/
安装前检查(支持GitHub URL、npm包或本地路径)
npx @elliotllliu/agent-shield install-check https://github.com/user/repo
输出JSON格式供程序化使用
npx @elliotllliu/agent-shield scan ./path/to/skill/ --json
分数低于阈值时失败退出
npx @elliotllliu/agent-shield scan ./path/to/skill/ --fail-under 70
扫描.difypkg插件归档文件
npx @elliotllliu/agent-shield scan ./plugin.difypkg
检测项(30条规则)
高风险:
- - data-exfil — 读取敏感文件并发送HTTP请求
- backdoor — eval()、exec()、动态代码执行
- reverse-shell — 出站socket连接至shell
- crypto-mining — 矿池连接
- credential-hardcode — 硬编码的API密钥/令牌
- obfuscation — base64+eval、十六进制字符串
- prompt-injection — 55+种模式、12个类别、8种语言
- tool-shadowing — 工具名称/描述篡改
- attack-chain — 多步骤杀伤链(5个阶段)
- cross-file — 跨文件数据流和代码注入
- ast-* — Python AST污点追踪(eval、pickle、SQL注入、SSTI)
- multilang-injection — 8种语言的提示注入
- description-integrity — 描述与代码之间的语义不匹配
- mcp-runtime — MCP服务器运行时安全问题
中风险:
- - env-leak — process.env信息泄露
- network-ssrf — 用户控制的URL、SSRF
- privilege — SKILL.md权限声明与代码不匹配
- supply-chain — 依赖项中的已知CVE漏洞
- sensitive-read — SSH密钥、AWS凭证访问
- phone-home — 周期性信标/心跳模式
- python-security — 35种Python特定模式
低风险:
- - excessive-perms — 声明了过多权限
- hidden-files — 提交了包含机密的.env文件
- typosquatting — 可疑的npm包名称
结果解读
- - 分数90-100:低风险 ✅
- 分数70-89:中等风险 — 需审查警告信息
- 分数40-69:高风险 — 使用前需深入调查
- 分数0-39:严重风险 — 请勿安装
使用场景
- 1. 安装第三方技能前:npx @elliotllliu/agent-shield install-check
- 发布前审计自有技能
- CI/CD流水线关卡:--fail-under 70
- 审查来自不可信来源的技能
