Safety Report

EdgeOne Skill Scanner

Name: EdgeOne Skill Scanner
Rating: 5 (1 reviews)
Author: aigsec

Scan any agent skill for security risks before you install or use it. Powered by Tencent Zhuque Lab A.I.G (AI-Infra-Guard). 100% local static analysis — no f...

249Downloads

0Installs

1Stars

5Versions

Security & Compliance3,689 Code Review571

Security Analysis

high confidence

Clean

The skill's requirements and runtime instructions are internally consistent with a local, static skill-auditor: it reads local skill files/paths, enumerates skills, and produces per-skill reports without requiring external credentials or installs.

Mar 24, 20261 files

Purpose & Capabilityok

Name and description claim a local static skill scanner and the SKILL.md contains detailed instructions to enumerate and audit skills and platform-specific paths. Requested capabilities (none) and lack of install spec match the stated purpose.

Instruction Scopeok

Instructions explicitly direct the agent to enumerate skills and read local skill files and platform skill directories (e.g. ~/.codebuddy, ~/.cursor, ~/.claude, etc.), which is necessary for a static local audit. The SKILL.md forbids skipping built-in skills and instructs not to leak language-detection results. This stays within the declared scanning scope, though scanning system/built-in skill locations may expose more files than a user expects.

Install Mechanismok

No install specification and no code files — the skill is instruction-only, so nothing is downloaded or written to disk by an installer. This is the lowest-risk install model and consistent with the description.

Credentialsok

The skill declares no required environment variables, credentials, or config paths beyond reading common skill directories. That matches its purpose; there are no unexplained secret or credential requests.

Persistence & Privilegeok

always is false and the skill does not request elevated/persistent presence or attempt to modify other skills. disable-model-invocation is default (false) which is normal for an invocable skill.

Guidance

This skill appears coherent for performing local, static audits of installed skills. Before installing or running it: (1) remember it will inspect local skill directories (including platform built-ins), so run it only in environments where you’re comfortable having those files read; (2) the registry metadata lists unknown source/homepage despite the SKILL.md naming Tencent — if provenance matters, verify the publisher or prefer a scanner from a trusted source; (3) prefer scanning a single skill or a user-specified directory rather than a full-platform scan if you want to limit scope; and (4) review any report outputs locally before sharing them externally. If you want extra assurance, run the scanner in an isolated environment (VM or container) or inspect the full SKILL.md content yourself first.

Latest Release

v1.0.4

No functional changes in this release. - No file changes detected compared to the previous version. - No updates to features, logic, triggers, or documentation content.

More by @aigsec

EdgeOne ClawScan

37 stars

AIG Scanner

3 stars

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Published by @aigsec on ClawHub