{ "schemaVersion": "1.0", "item": { "slug": "aegis-audit", "name": "Aegis Audit", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/sanguineseal/aegis-audit", "canonicalUrl": "https://clawhub.ai/sanguineseal/aegis-audit", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/aegis-audit", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=aegis-audit", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "CHANGELOG.md", "LICENSING.md", "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/aegis-audit" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/aegis-audit", "agentPageUrl": "https://openagent3.xyz/skills/aegis-audit/agent", "manifestUrl": "https://openagent3.xyz/skills/aegis-audit/agent.json", "briefUrl": "https://openagent3.xyz/skills/aegis-audit/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Aegis Audit", "body": "Behavioral security scanner for AI agent skills and MCP tools.\n\nAegis is a defensive security auditing tool. It detects malicious patterns in other skills so users can avoid dangerous installs. This skill does not teach or enable attacks — it helps users vet skills before trusting them.\n\nThe \"SSL certificate\" for AI agent skills — scan, certify, and govern before you trust.\n\nSource: github.com/Aegis-Scan/aegis-scan | Package: pypi.org/project/aegis-audit | License: AGPL-3.0" }, { "title": "What Aegis does", "body": "Aegis answers the question every agent user should ask: \"What can this skill actually do, and should I trust it?\"\n\nDeterministic static analysis — AST parsing + Semgrep + 15 specialized scanners. Same code = same report, every time.\nScope-resolved capabilities — Not just \"accesses the filesystem\" but exactly which files, URLs, hosts, and ports.\nRisk scoring — 0-100 composite score with CWE/OWASP-mapped findings and severity tiers.\nCryptographic proof — Ed25519-signed lockfile with Merkle tree for tamper detection.\nOptional LLM analysis — Bring your own key (Gemini, Claude, OpenAI, Ollama, local). Disabled by default. See the privacy notice below before enabling." }, { "title": "Install", "body": "Install from PyPI using pip or uv:\n\npip install aegis-audit\n\nuv tool install aegis-audit\n\nBoth commands install the same package. Pin to a specific version when possible (e.g. pip install aegis-audit==1.3.0) and verify the publisher on PyPI before installing. The package source is at github.com/Aegis-Scan/aegis-scan.\n\nAfter install, the aegis CLI is available on your PATH." }, { "title": "Quick start", "body": "Aegis runs fully offline by default. No API keys, no network access, no data leaves your machine.\n\naegis scan --no-llm\n\nThis scans the current directory and produces a security report. All commands default to . (current directory) when no path is given.\n\naegis scan ./some-skill --no-llm" }, { "title": "CLI reference", "body": "CommandDescriptionaegis scan [path]Full security scan with risk scoringaegis lock [path]Scan + generate signed aegis.lockaegis verify [path]Verify lockfile against current codeaegis badge [path]Generate shields.io badge markdownaegis setupInteractive LLM configuration wizardaegis mcp-serveStart the MCP server (stdio transport)aegis mcp-configPrint MCP config JSON for Cursor / Claude Desktopaegis versionShow the Aegis version\n\nCommon flags: --no-llm (skip LLM, the default), --json (CI output), -v (verbose)." }, { "title": "Lockfiles", "body": "Generate a signed lockfile after scanning:\n\naegis lock\n\nThis produces aegis.lock — a cryptographically signed snapshot of the skill's security state. Commit it alongside the skill so consumers can verify nothing changed.\n\nVerify a lockfile:\n\naegis verify\n\nIf any file was modified since the lockfile was created, the Merkle root will not match and verification fails." }, { "title": "Optional: LLM analysis", "body": "Privacy notice: LLM analysis is disabled by default. When enabled, Aegis sends scanned code to the configured third-party LLM provider (Google, OpenAI, or Anthropic). No data is transmitted unless you explicitly configure an API key and run a scan without --no-llm. Do not enable LLM mode on repositories containing secrets or sensitive code unless you trust the provider.\n\nTo enable LLM analysis, run the interactive setup:\n\naegis setup\n\nThis saves your config to ~/.aegis/config.yaml. Alternatively, set one of these environment variables:\n\nGEMINI_API_KEY — Google Gemini\nOPENAI_API_KEY — OpenAI\nANTHROPIC_API_KEY — Anthropic Claude\n\nThese environment variables are optional. Aegis works fully offline without them. Only set a key if you want the AI second-opinion feature and accept that scanned code will be sent to the corresponding provider.\n\nFor local LLM servers (Ollama, LM Studio, llama.cpp, vLLM), see aegis setup — no third-party data transmission occurs with local models." }, { "title": "MCP server", "body": "Aegis runs as an MCP server for Cursor, Claude Desktop, and any MCP-compatible client. Three tools are exposed: scan_skill, verify_lockfile, and list_capabilities.\n\nAdd this to your .cursor/mcp.json:\n\n{\n \"mcpServers\": {\n \"aegis\": {\n \"command\": \"aegis\",\n \"args\": [\"mcp-serve\"]\n }\n }\n}\n\nOr generate it automatically:\n\naegis mcp-config\n\nAegis uses stdio transport — no network server needed." }, { "title": "What gets scanned", "body": "ScannerWhat it detectsAST Parser750+ Python function/method patterns across 15+ categoriesSemgrep Rules80+ regex rules for Python, JavaScript, and secretsSecret ScannerAPI keys, tokens, private keys, connection strings (30+ patterns)Shell AnalyzerPipe-to-shell, reverse shells, inline execJS AnalyzerXSS, eval, prototype pollution, dynamic importsDockerfile AnalyzerPrivilege escalation, secrets in ENV/ARG, unpinned imagesConfig AnalyzerDangerous settings in YAML, JSON, TOML, INISocial EngineeringMisleading filenames, Unicode tricks, trust manipulationSteganographyHidden payloads in images, homoglyph attacksShadow Module DetectorStdlib-shadowing files (os.py, sys.py in the skill)Combo AnalyzerMulti-capability attack chains (exfiltration, C2, ransomware)Taint AnalysisSource-to-sink data flows (commands, URLs, SQL, paths)Complexity AnalyzerCyclomatic complexity warnings for hard-to-audit functionsSkill Meta AnalyzerSKILL.md vs actual code cross-referencingPersona ClassifierOverall trust profile (LGTM, Permission Goblin, etc.)" }, { "title": "Vibe Check personas", "body": "Aegis assigns each scanned skill a persona based on deterministic analysis:\n\nCracked Dev — Clean code, smart patterns, minimal permissions.\nLGTM — Permissions match the intent, scopes are sane, nothing weird.\nTrust Me Bro — Polished on the outside, suspicious on the inside.\nYou Sure About That? — Messy code, missing pieces, docs that overpromise.\nCo-Dependent Lover — Tiny logic, huge dependency tree. Supply chain risk.\nPermission Goblin — Wants everything: filesystem, network, secrets.\nSpaghetti Monster — Unreadable chaos. High complexity.\nThe Snake — Code that looks clean but is not. Potentially malicious." }, { "title": "JSON output for CI", "body": "aegis scan --json --no-llm\n\naegis scan --json --no-llm | jq '.deterministic.risk_score_static'\n\naegis scan --json --no-llm | jq -e '.deterministic.risk_score_static <= 50'\n\nThe JSON report contains two payloads:\n\nDeterministic — Merkle tree, capabilities, findings, risk score (reproducible, signed)\nEphemeral — LLM analysis, risk adjustment (non-deterministic, not signed)" }, { "title": "For skill developers", "body": "Run Aegis on your own skill before publishing:\n\ncd ./my-skill\naegis scan --no-llm -v\n\nFix PROHIBITED findings. Document RESTRICTED ones. Ship with an aegis.lock:\n\naegis lock\n\nSee the Skill Developer Best Practices guide." }, { "title": "Architecture", "body": "aegis scan ./skill\n |\n +-- coordinator.py File discovery (git-aware / directory walk)\n +-- ast_parser.py AST analysis + pessimistic scope extraction\n +-- secret_scanner.py 30+ secret patterns\n +-- shell_analyzer.py Dangerous shell patterns\n +-- js_analyzer.py JS/TS vulnerability patterns\n +-- config_analyzer.py YAML/JSON/TOML/INI risky settings\n +-- combo_analyzer.py Multi-capability attack chains\n +-- taint_analyzer.py Source-to-sink data flow tracking\n +-- binary_detector.py External binary classification\n +-- social_eng_scanner Social engineering detection\n +-- stego_scanner Steganography + homoglyphs\n +-- hasher.py Lazy Merkle tree\n +-- signer.py Ed25519 signing\n +-- rule_engine.py Policy evaluation\n +-- reporter/ JSON + Rich console output\n |\n v\n aegis_report.json + aegis.lock" }, { "title": "License", "body": "Aegis is dual-licensed:\n\nOpen Source: AGPL-3.0 — free to use, modify, and distribute. Network service deployments must release source.\nCommercial: Proprietary license available for embedding in proprietary products, running without source disclosure, SLAs, and support.\n\nSee LICENSING.md for full details." }, { "title": "Contributing", "body": "Contributions welcome. By contributing, you agree to the Contributor License Agreement.\n\ncd aegis-core\npip install -e \".[dev]\"\npytest\n\nPython 3.11+ required. No network access needed for deterministic scans. Works offline." } ], "body": "Aegis Audit\n\nBehavioral security scanner for AI agent skills and MCP tools.\n\nAegis is a defensive security auditing tool. It detects malicious patterns in other skills so users can avoid dangerous installs. This skill does not teach or enable attacks — it helps users vet skills before trusting them.\n\nThe \"SSL certificate\" for AI agent skills — scan, certify, and govern before you trust.\n\nSource: github.com/Aegis-Scan/aegis-scan | Package: pypi.org/project/aegis-audit | License: AGPL-3.0\n\nWhat Aegis does\n\nAegis answers the question every agent user should ask: \"What can this skill actually do, and should I trust it?\"\n\nDeterministic static analysis — AST parsing + Semgrep + 15 specialized scanners. Same code = same report, every time.\nScope-resolved capabilities — Not just \"accesses the filesystem\" but exactly which files, URLs, hosts, and ports.\nRisk scoring — 0-100 composite score with CWE/OWASP-mapped findings and severity tiers.\nCryptographic proof — Ed25519-signed lockfile with Merkle tree for tamper detection.\nOptional LLM analysis — Bring your own key (Gemini, Claude, OpenAI, Ollama, local). Disabled by default. See the privacy notice below before enabling.\nInstall\n\nInstall from PyPI using pip or uv:\n\npip install aegis-audit\n\nuv tool install aegis-audit\n\n\nBoth commands install the same package. Pin to a specific version when possible (e.g. pip install aegis-audit==1.3.0) and verify the publisher on PyPI before installing. The package source is at github.com/Aegis-Scan/aegis-scan.\n\nAfter install, the aegis CLI is available on your PATH.\n\nQuick start\n\nAegis runs fully offline by default. No API keys, no network access, no data leaves your machine.\n\naegis scan --no-llm\n\n\nThis scans the current directory and produces a security report. All commands default to . (current directory) when no path is given.\n\naegis scan ./some-skill --no-llm\n\nCLI reference\nCommand\tDescription\naegis scan [path]\tFull security scan with risk scoring\naegis lock [path]\tScan + generate signed aegis.lock\naegis verify [path]\tVerify lockfile against current code\naegis badge [path]\tGenerate shields.io badge markdown\naegis setup\tInteractive LLM configuration wizard\naegis mcp-serve\tStart the MCP server (stdio transport)\naegis mcp-config\tPrint MCP config JSON for Cursor / Claude Desktop\naegis version\tShow the Aegis version\n\nCommon flags: --no-llm (skip LLM, the default), --json (CI output), -v (verbose).\n\nLockfiles\n\nGenerate a signed lockfile after scanning:\n\naegis lock\n\n\nThis produces aegis.lock — a cryptographically signed snapshot of the skill's security state. Commit it alongside the skill so consumers can verify nothing changed.\n\nVerify a lockfile:\n\naegis verify\n\n\nIf any file was modified since the lockfile was created, the Merkle root will not match and verification fails.\n\nOptional: LLM analysis\n\nPrivacy notice: LLM analysis is disabled by default. When enabled, Aegis sends scanned code to the configured third-party LLM provider (Google, OpenAI, or Anthropic). No data is transmitted unless you explicitly configure an API key and run a scan without --no-llm. Do not enable LLM mode on repositories containing secrets or sensitive code unless you trust the provider.\n\nTo enable LLM analysis, run the interactive setup:\n\naegis setup\n\n\nThis saves your config to ~/.aegis/config.yaml. Alternatively, set one of these environment variables:\n\nGEMINI_API_KEY — Google Gemini\nOPENAI_API_KEY — OpenAI\nANTHROPIC_API_KEY — Anthropic Claude\n\nThese environment variables are optional. Aegis works fully offline without them. Only set a key if you want the AI second-opinion feature and accept that scanned code will be sent to the corresponding provider.\n\nFor local LLM servers (Ollama, LM Studio, llama.cpp, vLLM), see aegis setup — no third-party data transmission occurs with local models.\n\nMCP server\n\nAegis runs as an MCP server for Cursor, Claude Desktop, and any MCP-compatible client. Three tools are exposed: scan_skill, verify_lockfile, and list_capabilities.\n\nAdd this to your .cursor/mcp.json:\n\n{\n \"mcpServers\": {\n \"aegis\": {\n \"command\": \"aegis\",\n \"args\": [\"mcp-serve\"]\n }\n }\n}\n\n\nOr generate it automatically:\n\naegis mcp-config\n\n\nAegis uses stdio transport — no network server needed.\n\nWhat gets scanned\nScanner\tWhat it detects\nAST Parser\t750+ Python function/method patterns across 15+ categories\nSemgrep Rules\t80+ regex rules for Python, JavaScript, and secrets\nSecret Scanner\tAPI keys, tokens, private keys, connection strings (30+ patterns)\nShell Analyzer\tPipe-to-shell, reverse shells, inline exec\nJS Analyzer\tXSS, eval, prototype pollution, dynamic imports\nDockerfile Analyzer\tPrivilege escalation, secrets in ENV/ARG, unpinned images\nConfig Analyzer\tDangerous settings in YAML, JSON, TOML, INI\nSocial Engineering\tMisleading filenames, Unicode tricks, trust manipulation\nSteganography\tHidden payloads in images, homoglyph attacks\nShadow Module Detector\tStdlib-shadowing files (os.py, sys.py in the skill)\nCombo Analyzer\tMulti-capability attack chains (exfiltration, C2, ransomware)\nTaint Analysis\tSource-to-sink data flows (commands, URLs, SQL, paths)\nComplexity Analyzer\tCyclomatic complexity warnings for hard-to-audit functions\nSkill Meta Analyzer\tSKILL.md vs actual code cross-referencing\nPersona Classifier\tOverall trust profile (LGTM, Permission Goblin, etc.)\nVibe Check personas\n\nAegis assigns each scanned skill a persona based on deterministic analysis:\n\nCracked Dev — Clean code, smart patterns, minimal permissions.\nLGTM — Permissions match the intent, scopes are sane, nothing weird.\nTrust Me Bro — Polished on the outside, suspicious on the inside.\nYou Sure About That? — Messy code, missing pieces, docs that overpromise.\nCo-Dependent Lover — Tiny logic, huge dependency tree. Supply chain risk.\nPermission Goblin — Wants everything: filesystem, network, secrets.\nSpaghetti Monster — Unreadable chaos. High complexity.\nThe Snake — Code that looks clean but is not. Potentially malicious.\nJSON output for CI\naegis scan --json --no-llm\n\naegis scan --json --no-llm | jq '.deterministic.risk_score_static'\n\naegis scan --json --no-llm | jq -e '.deterministic.risk_score_static <= 50'\n\n\nThe JSON report contains two payloads:\n\nDeterministic — Merkle tree, capabilities, findings, risk score (reproducible, signed)\nEphemeral — LLM analysis, risk adjustment (non-deterministic, not signed)\nFor skill developers\n\nRun Aegis on your own skill before publishing:\n\ncd ./my-skill\naegis scan --no-llm -v\n\n\nFix PROHIBITED findings. Document RESTRICTED ones. Ship with an aegis.lock:\n\naegis lock\n\n\nSee the Skill Developer Best Practices guide.\n\nArchitecture\naegis scan ./skill\n |\n +-- coordinator.py File discovery (git-aware / directory walk)\n +-- ast_parser.py AST analysis + pessimistic scope extraction\n +-- secret_scanner.py 30+ secret patterns\n +-- shell_analyzer.py Dangerous shell patterns\n +-- js_analyzer.py JS/TS vulnerability patterns\n +-- config_analyzer.py YAML/JSON/TOML/INI risky settings\n +-- combo_analyzer.py Multi-capability attack chains\n +-- taint_analyzer.py Source-to-sink data flow tracking\n +-- binary_detector.py External binary classification\n +-- social_eng_scanner Social engineering detection\n +-- stego_scanner Steganography + homoglyphs\n +-- hasher.py Lazy Merkle tree\n +-- signer.py Ed25519 signing\n +-- rule_engine.py Policy evaluation\n +-- reporter/ JSON + Rich console output\n |\n v\n aegis_report.json + aegis.lock\n\nLicense\n\nAegis is dual-licensed:\n\nOpen Source: AGPL-3.0 — free to use, modify, and distribute. Network service deployments must release source.\nCommercial: Proprietary license available for embedding in proprietary products, running without source disclosure, SLAs, and support.\n\nSee LICENSING.md for full details.\n\nContributing\n\nContributions welcome. By contributing, you agree to the Contributor License Agreement.\n\ncd aegis-core\npip install -e \".[dev]\"\npytest\n\n\nPython 3.11+ required. No network access needed for deterministic scans. Works offline." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/sanguineseal/aegis-audit", "publisherUrl": "https://clawhub.ai/sanguineseal/aegis-audit", "owner": "sanguineseal", "version": "0.1.10", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/aegis-audit", "downloadUrl": "https://openagent3.xyz/downloads/aegis-audit", "agentUrl": "https://openagent3.xyz/skills/aegis-audit/agent", "manifestUrl": "https://openagent3.xyz/skills/aegis-audit/agent.json", "briefUrl": "https://openagent3.xyz/skills/aegis-audit/agent.md" } }