Deep behavioral security audit for AI agent skills and MCP tools. Performs deterministic static analysis (AST + Semgrep + 15 specialized scanners), cryptographic lockfile generation, and optional LLM-powered intent analysis. Use when installing, reviewing, or approving any skill, tool, plugin, or MCP server — especially before first use. Replaces basic safety summaries with full CWE-mapped, OWASP-tagged, line-referenced security reports.
---
name: aegis-audit
description: >
Deep behavioral security audit for AI agent skills and MCP tools. Performs deterministic
static analysis (AST + Semgrep + 15 specialized scanners), cryptographic lockfile generation,
and optional LLM-powered intent analysis. Use when installing, reviewing, or approving any
skill, tool, plugin, or MCP server — especially before first use. Replaces basic safety
summaries with full CWE-mapped, OWASP-tagged, line-referenced security reports.
version: 0.1.10
homepage: https://github.com/Aegis-Scan/aegis-scan
url: https://pypi.org/project/aegis-audit/
metadata: {"openclaw":{"emoji":"🔍","homepage":"https://github.com/Aegis-Scan/aegis-scan","requires":{"bins":["aegis"],"config":["~/.aegis/config.yaml"]},"install":[{"kind":"uv","package":"aegis-audit","bins":["aegis"]}]}}
---
# Aegis Audit
Behavioral security scanner for AI agent skills and MCP tools.
Aegis is a **defensive** security auditing tool. It detects malicious patterns in other skills so users can avoid dangerous installs. This skill does not teach or enable attacks — it helps users vet skills before trusting them.
> The "SSL certificate" for AI agent skills — scan, certify, and govern before you trust.
Source: [github.com/Aegis-Scan/aegis-scan](https://github.com/Aegis-Scan/aegis-scan) | Package: [pypi.org/project/aegis-audit](https://pypi.org/project/aegis-audit/) | License: AGPL-3.0
---
## What Aegis does
Aegis answers the question every agent user should ask: *"What can this skill actually do, and should I trust it?"*
- **Deterministic static analysis** — AST parsing + Semgrep + 15 specialized scanners. Same code = same report, every time.
- **Scope-resolved capabilities** — Not just "accesses the filesystem" but exactly which files, URLs, hosts, and ports.
- **Risk scoring** — 0-100 composite score with CWE/OWASP-mapped findings and severity tiers.
- **Cryptographic proof** — Ed25519-signed lockfile with Merkle tree for tamper detection.
- **Optional LLM analysis** — Bring your own key (Gemini, Claude, OpenAI, Ollama, local). Disabled by default. See the privacy notice below before enabling.
---
## Install
Install from [PyPI](https://pypi.org/project/aegis-audit/) using pip or uv:
```bash
pip install aegis-audit
```
```bash
uv tool install aegis-audit
```
Both commands install the same package. Pin to a specific version when possible (e.g. `pip install aegis-audit==1.3.0`) and verify the publisher on PyPI before installing. The package source is at [github.com/Aegis-Scan/aegis-scan](https://github.com/Aegis-Scan/aegis-scan).
After install, the `aegis` CLI is available on your PATH.
---
## Quick start
Aegis runs fully offline by default. No API keys, no network access, no data leaves your machine.
```bash
aegis scan --no-llm
```
This scans the current directory and produces a security report. All commands default to `.` (current directory) when no path is given.
```bash
aegis scan ./some-skill --no-llm
```
---
## CLI reference
| Command | Description |
|---|---|
| `aegis scan [path]` | Full security scan with risk scoring |
| `aegis lock [path]` | Scan + generate signed `aegis.lock` |
| `aegis verify [path]` | Verify lockfile against current code |
| `aegis badge [path]` | Generate shields.io badge markdown |
| `aegis setup` | Interactive LLM configuration wizard |
| `aegis mcp-serve` | Start the MCP server (stdio transport) |
| `aegis mcp-config` | Print MCP config JSON for Cursor / Claude Desktop |
| `aegis version` | Show the Aegis version |
Common flags: `--no-llm` (skip LLM, the default), `--json` (CI output), `-v` (verbose).
---
## Lockfiles
Generate a signed lockfile after scanning:
```bash
aegis lock
```
This produces `aegis.lock` — a cryptographically signed snapshot of the skill's security state. Commit it alongside the skill so consumers can verify nothing changed.
Verify a lockfile:
```bash
aegis verify
```
If any file was modified since the lockfile was created, the Merkle root will not match and verification fails.
---
## Optional: LLM analysis
**Privacy notice:** LLM analysis is disabled by default. When enabled, Aegis sends scanned code to the configured third-party LLM provider (Google, OpenAI, or Anthropic). No data is transmitted unless you explicitly configure an API key and run a scan without `--no-llm`. Do not enable LLM mode on repositories containing secrets or sensitive code unless you trust the provider.
To enable LLM analysis, run the interactive setup:
```bash
aegis setup
```
This saves your config to `~/.aegis/config.yaml`. Alternatively, set one of these environment variables:
- `GEMINI_API_KEY` — Google Gemini
- `OPENAI_API_KEY` — OpenAI
- `ANTHROPIC_API_KEY` — Anthropic Claude
These environment variables are optional. Aegis works fully offline without them. Only set a key if you want the AI second-opinion feature and accept that scanned code will be sent to the corresponding provider.
For local LLM servers (Ollama, LM Studio, llama.cpp, vLLM), see `aegis setup` — no third-party data transmission occurs with local models.
---
## MCP server
Aegis runs as an MCP server for Cursor, Claude Desktop, and any MCP-compatible client. Three tools are exposed: `scan_skill`, `verify_lockfile`, and `list_capabilities`.
Add this to your `.cursor/mcp.json`:
```json
{
"mcpServers": {
"aegis": {
"command": "aegis",
"args": ["mcp-serve"]
}
}
}
```
Or generate it automatically:
```bash
aegis mcp-config
```
Aegis uses stdio transport — no network server needed.
---
## What gets scanned
| Scanner | What it detects |
|---|---|
| AST Parser | 750+ Python function/method patterns across 15+ categories |
| Semgrep Rules | 80+ regex rules for Python, JavaScript, and secrets |
| Secret Scanner | API keys, tokens, private keys, connection strings (30+ patterns) |
| Shell Analyzer | Pipe-to-shell, reverse shells, inline exec |
| JS Analyzer | XSS, eval, prototype pollution, dynamic imports |
| Dockerfile Analyzer | Privilege escalation, secrets in ENV/ARG, unpinned images |
| Config Analyzer | Dangerous settings in YAML, JSON, TOML, INI |
| Social Engineering | Misleading filenames, Unicode tricks, trust manipulation |
| Steganography | Hidden payloads in images, homoglyph attacks |
| Shadow Module Detector | Stdlib-shadowing files (os.py, sys.py in the skill) |
| Combo Analyzer | Multi-capability attack chains (exfiltration, C2, ransomware) |
| Taint Analysis | Source-to-sink data flows (commands, URLs, SQL, paths) |
| Complexity Analyzer | Cyclomatic complexity warnings for hard-to-audit functions |
| Skill Meta Analyzer | SKILL.md vs actual code cross-referencing |
| Persona Classifier | Overall trust profile (LGTM, Permission Goblin, etc.) |
---
## Vibe Check personas
Aegis assigns each scanned skill a persona based on deterministic analysis:
- **Cracked Dev** — Clean code, smart patterns, minimal permissions.
- **LGTM** — Permissions match the intent, scopes are sane, nothing weird.
- **Trust Me Bro** — Polished on the outside, suspicious on the inside.
- **You Sure About That?** — Messy code, missing pieces, docs that overpromise.
- **Co-Dependent Lover** — Tiny logic, huge dependency tree. Supply chain risk.
- **Permission Goblin** — Wants everything: filesystem, network, secrets.
- **Spaghetti Monster** — Unreadable chaos. High complexity.
- **The Snake** — Code that looks clean but is not. Potentially malicious.
---
## JSON output for CI
```bash
aegis scan --json --no-llm
```
```bash
aegis scan --json --no-llm | jq '.deterministic.risk_score_static'
```
```bash
aegis scan --json --no-llm | jq -e '.deterministic.risk_score_static <= 50'
```
The JSON report contains two payloads:
- **Deterministic** — Merkle tree, capabilities, findings, risk score (reproducible, signed)
- **Ephemeral** — LLM analysis, risk adjustment (non-deterministic, not signed)
---
## For skill developers
Run Aegis on your own skill before publishing:
```bash
cd ./my-skill
aegis scan --no-llm -v
```
Fix PROHIBITED findings. Document RESTRICTED ones. Ship with an `aegis.lock`:
```bash
aegis lock
```
See the [Skill Developer Best Practices](https://github.com/Aegis-Scan/aegis-scan/blob/main/docs/SKILL_DEVELOPER_GUIDE.md) guide.
---
## Architecture
```
aegis scan ./skill
|
+-- coordinator.py File discovery (git-aware / directory walk)
+-- ast_parser.py AST analysis + pessimistic scope extraction
+-- secret_scanner.py 30+ secret patterns
+-- shell_analyzer.py Dangerous shell patterns
+-- js_analyzer.py JS/TS vulnerability patterns
+-- config_analyzer.py YAML/JSON/TOML/INI risky settings
+-- combo_analyzer.py Multi-capability attack chains
+-- taint_analyzer.py Source-to-sink data flow tracking
+-- binary_detector.py External binary classification
+-- social_eng_scanner Social engineering detection
+-- stego_scanner Steganography + homoglyphs
+-- hasher.py Lazy Merkle tree
+-- signer.py Ed25519 signing
+-- rule_engine.py Policy evaluation
+-- reporter/ JSON + Rich console output
|
v
aegis_report.json + aegis.lock
```
---
## License
Aegis is dual-licensed:
- **Open Source:** AGPL-3.0 — free to use, modify, and distribute. Network service deployments must release source.
- **Commercial:** Proprietary license available for embedding in proprietary products, running without source disclosure, SLAs, and support.
See [LICENSING.md](https://github.com/Aegis-Scan/aegis-scan/blob/main/aegis-core/LICENSING.md) for full details.
---
## Contributing
Contributions welcome. By contributing, you agree to the [Contributor License Agreement](https://github.com/Aegis-Scan/aegis-scan/blob/main/aegis-core/CLA.md).
```bash
cd aegis-core
pip install -e ".[dev]"
pytest
```
---
Python 3.11+ required. No network access needed for deterministic scans. Works offline.
don't have the plugin yet? install it then click "run inline in claude" again.
Behavioral security scanner for AI agent skills and MCP tools.
Aegis is a defensive security auditing tool. It detects malicious patterns in other skills so users can avoid dangerous installs. This skill does not teach or enable attacks , it helps users vet skills before trusting them.
The "SSL certificate" for AI agent skills , scan, certify, and govern before you trust.
Source: github.com/Aegis-Scan/aegis-scan | Package: pypi.org/project/aegis-audit | License: AGPL-3.0
use aegis to answer the question every agent user should ask before installing a skill: "what can this thing actually do, and should i trust it?" run a deterministic static analysis (AST parsing, Semgrep rules, 15+ specialized scanners) on any skill, tool, plugin, or MCP server to get a full CWE-mapped, OWASP-tagged security report with line references and risk scoring. aegis runs fully offline by default (no API keys, no network access, no data leaves your machine) and optionally integrates LLM analysis for behavioral intent checking. use this before first install, before code review, before approval, or before publishing your own skill.
installation requirement:
aegis-audit (install via pip or uv)aegis (available on PATH after install)required for all scans:
.).gitignore to skip files)optional: LLM analysis (disabled by default, no data transmitted unless explicitly enabled)
GEMINI_API_KEY for Google GeminiOPENAI_API_KEY for OpenAIANTHROPIC_API_KEY for Anthropic Claude~/.aegis/config.yaml (created by aegis setup wizard)optional: MCP server mode
no external network connections required for deterministic scans. all static analysis runs locally.
procedure 1: basic offline scan
install aegis: pip install aegis-audit or uv tool install aegis-audit
aegis CLI binary available on PATHnavigate to target skill directory or provide path: cd ./my-skill or aegis scan ./path/to/skill
run offline scan with no LLM: aegis scan --no-llm
aegis_report.json (structured findings)review report in console (human readable):
review JSON report for CI/automation: cat aegis_report.json or jq queries
procedure 2: generate cryptographic lockfile
run scan with lockfile generation: aegis lock
aegis.lock (Ed25519-signed Merkle tree snapshot)commit aegis.lock alongside skill code: git add aegis.lock && git commit -m "add aegis lockfile"
distribute skill with lockfile. consumers verify it has not changed since signing.
procedure 3: verify lockfile integrity
run verification: aegis verify (or aegis verify ./path/to/skill)
if verification fails:
aegis lock) or investigate changesprocedure 4: optional LLM-powered intent analysis
configure LLM access (one-time setup): aegis setup
~/.aegis/config.yaml with encrypted or plaintext credentials (user choice)alternatively, set environment variable: export GEMINI_API_KEY="your-key-here"
run scan with LLM: aegis scan (omit --no-llm flag)
--no-llmprocedure 5: MCP server deployment (optional, for Cursor / Claude Desktop integration)
print MCP config: aegis mcp-config
add to Cursor config file .cursor/mcp.json:
{
"mcpServers": {
"aegis": {
"command": "aegis",
"args": ["mcp-serve"]
}
}
}
restart Cursor or Claude Desktop client.
call tools from client:
if LLM analysis is desired:
GEMINI_API_KEY, OPENAI_API_KEY, ANTHROPIC_API_KEY) or local endpoint via aegis setup--no-llm flag--no-llm (default, recommended), all analysis stays offline, no code transmissionif lockfile verification fails:
aegis lock (if changes are approved), or: investigate which files changed and decide if revert/approval is neededif risk score exceeds acceptable threshold (e.g., > 60):
if running on skill with missing or incomplete SKILL.md:
if target path is a git repository:
.gitignore and skips ignored files (faster scan, avoids false positives on vendored code)if network timeout or LLM provider unavailable (when LLM mode is enabled):
--no-llm or retry after provider recoversif API rate limit hit (LLM provider):
--no-llm to skip LLM analysisif aegis.lock file exists but is corrupted or has invalid Ed25519 signature:
aegis verify fails immediately, no code comparison performedaegis lockif no files match any scanner pattern (empty or minimal codebase):
on successful scan (aegis scan), two outputs are guaranteed:
console report (Rich formatted, human readable)
aegis_report.json (structured, machine parseable)
deterministic.risk_score_static, deterministic.findings[], deterministic.capabilities[], deterministic.persona, ephemeral.llm_analysis (if available)on successful lockfile generation (aegis lock), one output is guaranteed:
merkle_root, files[] (hash per file), signature, timestamp, aegis_versionon successful lockfile verification (aegis verify), exit code signals result:
on successful MCP config generation (aegis mcp-config), one output is guaranteed:
.cursor/mcp.json or equivalentmcpServers.aegis with command and argson JSON output request (--json flag), all outputs are JSON:
aegis_report.json printed to stdoutaegis scan --json --no-llm | jq '.deterministic.risk_score_static'error handling: on failure, exit code is non-zero and error message is printed to stderr:
you know the scan worked when:
aegis_report.json is written to disk in the current directory (or specified path)you know the lockfile was created when:
aegis.lock appears in the current directoryyou know verification passed when:
aegis verify exits with code 0you know verification failed when:
aegis verify exits with non-zero code (typically 1)you know LLM analysis ran when:
aegis_report.json contains an ephemeral section with non-empty llm_analysisyou know MCP server started when:
aegis mcp-serve command exits with no errorscan_skill, verify_lockfile, list_capabilitiesyou know setup completed when:
aegis setup exits after prompts~/.aegis/config.yaml is created (check with cat ~/.aegis/config.yaml)--no-llm and LLM analysis runs successfullyaegis runs 15+ specialized scanners covering OWASP Top 10, CWE-200 series (information exposure), CWE-600 series (OS command injection), and MITRE ATT&CK tactics:
| scanner | detects | output |
|---|---|---|
| AST Parser | 750+ Python function/method patterns (imports, network, filesystem, subprocess, crypto, eval, pickle, etc.) | capability map + risk patterns |
| Semgrep Rules | 80+ regex rules for Python, JavaScript, YAML, secrets | line-referenced findings |
| Secret Scanner | API keys, tokens, private keys, connection strings (30+ patterns: AWS, GCP, Azure, etc.) | credential leaks with severity |
| Shell Analyzer | pipe-to-shell, reverse shells, inline exec, os.system, subprocess with shell=True | command injection risk |
| JS Analyzer | XSS, eval, prototype pollution, dynamic imports, innerHTML, Function() constructor | client-side vulnerability |
| Dockerfile Analyzer | privilege escalation (RUN as root), secrets in ENV/ARG, unpinned base images | supply chain + secrets |
| Config Analyzer | dangerous YAML/JSON/TOML/INI settings (e.g., insecure SSL, hardcoded credentials) | config risk |
| Social Engineering | misleading filenames (exe as .txt), Unicode tricks (lookalike chars), trust manipulation patterns | deception tactics |
| Steganography | hidden payloads in images, homoglyph attacks, font tricks | covert channels |
| Shadow Module Detector | stdlib-shadowing files (os.py, sys.py in the skill directory) | supply chain confusion |
| Combo Analyzer | multi-capability attack chains (exfiltration + command, C2 + persistence, ransomware signatures) | coordinated threats |
| Taint Analysis | source-to-sink data flows (user input -> commands, URLs, SQL, file paths) | injection chains |
| Complexity Analyzer | cyclomatic complexity per function, warns on >10 complexity (hard to audit) | maintainability + obscurity |
| Skill Meta Analyzer | SKILL.md vs actual code cross-referencing (declared permissions vs actual imports/calls) | intent mismatch |
| Persona Classifier | deterministic vibe check based on all findings | trust profile |
aegis assigns each skill one of eight personas based on analysis: