# Send Aegis Audit to your agent Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually. ## Fast path - Download the package from Yavira. - Extract it into a folder your agent can access. - Paste one of the prompts below and point your agent at the extracted folder. ## Suggested prompts ### New install ```text I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete. ``` ### Upgrade existing ```text I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run. ``` ## Machine-readable fields ```json { "schemaVersion": "1.0", "item": { "slug": "aegis-audit", "name": "Aegis Audit", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/sanguineseal/aegis-audit", "canonicalUrl": "https://clawhub.ai/sanguineseal/aegis-audit", "targetPlatform": "OpenClaw" }, "install": { "downloadUrl": "/downloads/aegis-audit", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=aegis-audit", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "packageFormat": "ZIP package", "primaryDoc": "SKILL.md", "includedAssets": [ "CHANGELOG.md", "LICENSING.md", "SKILL.md" ], "downloadMode": "redirect", "sourceHealth": { "source": "tencent", "slug": "aegis-audit", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-29T10:28:01.053Z", "expiresAt": "2026-05-06T10:28:01.053Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=aegis-audit", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=aegis-audit", "contentDisposition": "attachment; filename=\"aegis-audit-0.1.10.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "aegis-audit" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/aegis-audit" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] } }, "links": { "detailUrl": "https://openagent3.xyz/skills/aegis-audit", "downloadUrl": "https://openagent3.xyz/downloads/aegis-audit", "agentUrl": "https://openagent3.xyz/skills/aegis-audit/agent", "manifestUrl": "https://openagent3.xyz/skills/aegis-audit/agent.json", "briefUrl": "https://openagent3.xyz/skills/aegis-audit/agent.md" } } ``` ## Documentation ### Aegis Audit Behavioral security scanner for AI agent skills and MCP tools. Aegis is a defensive security auditing tool. It detects malicious patterns in other skills so users can avoid dangerous installs. This skill does not teach or enable attacks — it helps users vet skills before trusting them. The "SSL certificate" for AI agent skills — scan, certify, and govern before you trust. Source: github.com/Aegis-Scan/aegis-scan | Package: pypi.org/project/aegis-audit | License: AGPL-3.0 ### What Aegis does Aegis answers the question every agent user should ask: "What can this skill actually do, and should I trust it?" Deterministic static analysis — AST parsing + Semgrep + 15 specialized scanners. Same code = same report, every time. Scope-resolved capabilities — Not just "accesses the filesystem" but exactly which files, URLs, hosts, and ports. Risk scoring — 0-100 composite score with CWE/OWASP-mapped findings and severity tiers. Cryptographic proof — Ed25519-signed lockfile with Merkle tree for tamper detection. Optional LLM analysis — Bring your own key (Gemini, Claude, OpenAI, Ollama, local). Disabled by default. See the privacy notice below before enabling. ### Install Install from PyPI using pip or uv: pip install aegis-audit uv tool install aegis-audit Both commands install the same package. Pin to a specific version when possible (e.g. pip install aegis-audit==1.3.0) and verify the publisher on PyPI before installing. The package source is at github.com/Aegis-Scan/aegis-scan. After install, the aegis CLI is available on your PATH. ### Quick start Aegis runs fully offline by default. No API keys, no network access, no data leaves your machine. aegis scan --no-llm This scans the current directory and produces a security report. All commands default to . (current directory) when no path is given. aegis scan ./some-skill --no-llm ### CLI reference CommandDescriptionaegis scan [path]Full security scan with risk scoringaegis lock [path]Scan + generate signed aegis.lockaegis verify [path]Verify lockfile against current codeaegis badge [path]Generate shields.io badge markdownaegis setupInteractive LLM configuration wizardaegis mcp-serveStart the MCP server (stdio transport)aegis mcp-configPrint MCP config JSON for Cursor / Claude Desktopaegis versionShow the Aegis version Common flags: --no-llm (skip LLM, the default), --json (CI output), -v (verbose). ### Lockfiles Generate a signed lockfile after scanning: aegis lock This produces aegis.lock — a cryptographically signed snapshot of the skill's security state. Commit it alongside the skill so consumers can verify nothing changed. Verify a lockfile: aegis verify If any file was modified since the lockfile was created, the Merkle root will not match and verification fails. ### Optional: LLM analysis Privacy notice: LLM analysis is disabled by default. When enabled, Aegis sends scanned code to the configured third-party LLM provider (Google, OpenAI, or Anthropic). No data is transmitted unless you explicitly configure an API key and run a scan without --no-llm. Do not enable LLM mode on repositories containing secrets or sensitive code unless you trust the provider. To enable LLM analysis, run the interactive setup: aegis setup This saves your config to ~/.aegis/config.yaml. Alternatively, set one of these environment variables: GEMINI_API_KEY — Google Gemini OPENAI_API_KEY — OpenAI ANTHROPIC_API_KEY — Anthropic Claude These environment variables are optional. Aegis works fully offline without them. Only set a key if you want the AI second-opinion feature and accept that scanned code will be sent to the corresponding provider. For local LLM servers (Ollama, LM Studio, llama.cpp, vLLM), see aegis setup — no third-party data transmission occurs with local models. ### MCP server Aegis runs as an MCP server for Cursor, Claude Desktop, and any MCP-compatible client. Three tools are exposed: scan_skill, verify_lockfile, and list_capabilities. Add this to your .cursor/mcp.json: { "mcpServers": { "aegis": { "command": "aegis", "args": ["mcp-serve"] } } } Or generate it automatically: aegis mcp-config Aegis uses stdio transport — no network server needed. ### What gets scanned ScannerWhat it detectsAST Parser750+ Python function/method patterns across 15+ categoriesSemgrep Rules80+ regex rules for Python, JavaScript, and secretsSecret ScannerAPI keys, tokens, private keys, connection strings (30+ patterns)Shell AnalyzerPipe-to-shell, reverse shells, inline execJS AnalyzerXSS, eval, prototype pollution, dynamic importsDockerfile AnalyzerPrivilege escalation, secrets in ENV/ARG, unpinned imagesConfig AnalyzerDangerous settings in YAML, JSON, TOML, INISocial EngineeringMisleading filenames, Unicode tricks, trust manipulationSteganographyHidden payloads in images, homoglyph attacksShadow Module DetectorStdlib-shadowing files (os.py, sys.py in the skill)Combo AnalyzerMulti-capability attack chains (exfiltration, C2, ransomware)Taint AnalysisSource-to-sink data flows (commands, URLs, SQL, paths)Complexity AnalyzerCyclomatic complexity warnings for hard-to-audit functionsSkill Meta AnalyzerSKILL.md vs actual code cross-referencingPersona ClassifierOverall trust profile (LGTM, Permission Goblin, etc.) ### Vibe Check personas Aegis assigns each scanned skill a persona based on deterministic analysis: Cracked Dev — Clean code, smart patterns, minimal permissions. LGTM — Permissions match the intent, scopes are sane, nothing weird. Trust Me Bro — Polished on the outside, suspicious on the inside. You Sure About That? — Messy code, missing pieces, docs that overpromise. Co-Dependent Lover — Tiny logic, huge dependency tree. Supply chain risk. Permission Goblin — Wants everything: filesystem, network, secrets. Spaghetti Monster — Unreadable chaos. High complexity. The Snake — Code that looks clean but is not. Potentially malicious. ### JSON output for CI aegis scan --json --no-llm aegis scan --json --no-llm | jq '.deterministic.risk_score_static' aegis scan --json --no-llm | jq -e '.deterministic.risk_score_static <= 50' The JSON report contains two payloads: Deterministic — Merkle tree, capabilities, findings, risk score (reproducible, signed) Ephemeral — LLM analysis, risk adjustment (non-deterministic, not signed) ### For skill developers Run Aegis on your own skill before publishing: cd ./my-skill aegis scan --no-llm -v Fix PROHIBITED findings. Document RESTRICTED ones. Ship with an aegis.lock: aegis lock See the Skill Developer Best Practices guide. ### Architecture aegis scan ./skill | +-- coordinator.py File discovery (git-aware / directory walk) +-- ast_parser.py AST analysis + pessimistic scope extraction +-- secret_scanner.py 30+ secret patterns +-- shell_analyzer.py Dangerous shell patterns +-- js_analyzer.py JS/TS vulnerability patterns +-- config_analyzer.py YAML/JSON/TOML/INI risky settings +-- combo_analyzer.py Multi-capability attack chains +-- taint_analyzer.py Source-to-sink data flow tracking +-- binary_detector.py External binary classification +-- social_eng_scanner Social engineering detection +-- stego_scanner Steganography + homoglyphs +-- hasher.py Lazy Merkle tree +-- signer.py Ed25519 signing +-- rule_engine.py Policy evaluation +-- reporter/ JSON + Rich console output | v aegis_report.json + aegis.lock ### License Aegis is dual-licensed: Open Source: AGPL-3.0 — free to use, modify, and distribute. Network service deployments must release source. Commercial: Proprietary license available for embedding in proprietary products, running without source disclosure, SLAs, and support. See LICENSING.md for full details. ### Contributing Contributions welcome. By contributing, you agree to the Contributor License Agreement. cd aegis-core pip install -e ".[dev]" pytest Python 3.11+ required. No network access needed for deterministic scans. Works offline. ## Trust - Source: tencent - Verification: Indexed source record - Publisher: sanguineseal - Version: 0.1.10 ## Source health - Status: healthy - Item download looks usable. - Yavira can redirect you to the upstream package for this item. - Health scope: item - Reason: direct_download_ok - Checked at: 2026-04-29T10:28:01.053Z - Expires at: 2026-05-06T10:28:01.053Z - Recommended action: Download for OpenClaw ## Links - [Detail page](https://openagent3.xyz/skills/aegis-audit) - [Send to Agent page](https://openagent3.xyz/skills/aegis-audit/agent) - [JSON manifest](https://openagent3.xyz/skills/aegis-audit/agent.json) - [Markdown brief](https://openagent3.xyz/skills/aegis-audit/agent.md) - [Download page](https://openagent3.xyz/downloads/aegis-audit)