{"slug": "cisco-ai-defense-skill-scanner", "title": "Cisco AI Defense Skill Scanner", "summary": "Cisco released AI Defense Skill Scanner, a best-effort security scanner for AI agent skills that detects prompt injection, data exfiltration, and malicious code patterns using multi-engine detection including pattern-based, LLM-as-a-judge, and behavioral dataflow analysis. The tool supports OpenAI Codex and Cursor Agent Skills formats, integrates with CI/CD pipelines, and is available as an open-source project on GitHub.", "body_md": "A best-effort security scanner for AI Agent Skills that detects prompt injection, data exfiltration, and malicious code patterns. Combines **pattern-based detection** (YAML + YARA), **LLM-as-a-judge**, and **behavioral dataflow analysis** to maximize detection coverage of probable threats while minimizing false positives.\n\nImportant:This scanner provides best-effort detection, not comprehensive or complete coverage. A scan that returns no findings does not guarantee that a skill is free of all threats. See[Scope and Limitations]below.\n\nSupports [OpenAI Codex Skills](https://openai.github.io/codex/) and [Cursor Agent Skills](https://docs.cursor.com/context/rules) formats following the [Agent Skills specification](https://agentskills.io). With `--lenient`\n\n, also scans non-standard formats such as Claude Code `.claude/commands/*.md`\n\nand flat markdown skill repos.\n\n**Multi-Engine Detection**- Static analysis, behavioral dataflow, LLM semantic analysis, and cloud-based scanning for layered, best-effort coverage**False Positive Filtering**- Meta-analyzer significantly reduces noise while preserving detection capability** CI/CD Ready**- SARIF output for GitHub Code Scanning,[reusable GitHub Actions workflow](/cisco-ai-defense/skill-scanner/blob/main/docs/github-actions.md), exit codes for build failures**Pre-commit Hook**-[Standard pre-commit framework](https://pre-commit.com/)integration to scan skills before every commit** Extensible**- Plugin architecture for custom analyzers\n\n** Join the Cisco AI Discord** to discuss, share feedback, or connect with the team.\n\nSkill Scanner is a detection tool. It identifies known and probable risk patterns, but it does not certify security.\n\n**Key limitations:**\n\n**No findings ≠ no risk.** A scan that returns \"No findings\" indicates that no known threat patterns were detected. It does not guarantee that a skill is secure, benign, or free of vulnerabilities.**Coverage is inherently incomplete.** The scanner combines signature-based detection, LLM-based semantic analysis, behavioral dataflow analysis, optional cloud services, and configurable rule packs. While this approach improve coverage, no automated tool can detect every technique, especially novel or zero-day attacks.**False positives and false negatives can occur.** Consensus modes and meta-analysis reduce noise, but no configuration eliminates all incorrect classifications. Tune the[scan policy](/cisco-ai-defense/skill-scanner/blob/main/docs/user-guide/custom-policy-configuration.md)to your risk tolerance.**Human review remains essential.** Automated scanning is one component of a defense-in-depth strategy. High-risk or production deployments should pair scanner results with manual code review and/or threat modeling.\n\n| Guide | Description |\n|---|---|\n|\n\n[Architecture](/cisco-ai-defense/skill-scanner/blob/main/docs/architecture/index.md)[Threat Taxonomy](/cisco-ai-defense/skill-scanner/blob/main/docs/architecture/threat-taxonomy.md)[LLM Analyzer](/cisco-ai-defense/skill-scanner/blob/main/docs/architecture/analyzers/llm-analyzer.md)[Meta-Analyzer](/cisco-ai-defense/skill-scanner/blob/main/docs/architecture/analyzers/meta-analyzer.md)[Behavioral Analyzer](/cisco-ai-defense/skill-scanner/blob/main/docs/architecture/analyzers/behavioral-analyzer.md)[Scan Policy](/cisco-ai-defense/skill-scanner/blob/main/docs/user-guide/custom-policy-configuration.md)[Policy Quick Reference](/cisco-ai-defense/skill-scanner/blob/main/docs/reference/policy-quick-reference.md)[Rule Authoring](/cisco-ai-defense/skill-scanner/blob/main/docs/architecture/analyzers/writing-custom-rules.md)[GitHub Actions](/cisco-ai-defense/skill-scanner/blob/main/docs/github-actions.md)[API Reference](/cisco-ai-defense/skill-scanner/blob/main/docs/user-guide/api-server.md)[Development Guide](/cisco-ai-defense/skill-scanner/blob/main/docs/development/setup-and-testing.md)**Prerequisites:** Python 3.10+ and [uv](https://docs.astral.sh/uv/) (recommended) or pip\n\n```\n# Using uv (recommended)\nuv pip install cisco-ai-skill-scanner\n\n# Using pip\npip install cisco-ai-skill-scanner\n```\n\n**Cloud Provider Extras**\n\n```\n# AWS Bedrock support\npip install cisco-ai-skill-scanner[bedrock]\n\n# Google AI Studio / Gemini support\npip install cisco-ai-skill-scanner[google]\n\n# Google Vertex AI support\npip install cisco-ai-skill-scanner[vertex]\n\n# Azure OpenAI support\npip install cisco-ai-skill-scanner[azure]\n\n# All cloud providers\npip install cisco-ai-skill-scanner[all]\n# For LLM analyzer and Meta-analyzer\nexport SKILL_SCANNER_LLM_API_KEY=\"your_api_key\"\nexport SKILL_SCANNER_LLM_MODEL=\"claude-3-5-sonnet-20241022\"\n\n# For VirusTotal binary scanning\nexport VIRUSTOTAL_API_KEY=\"your_virustotal_api_key\"\n\n# For Cisco AI Defense\nexport AI_DEFENSE_API_KEY=\"your_aidefense_api_key\"\n```\n\nNot sure which flags to use? Run `skill-scanner`\n\nwith no arguments to launch the interactive wizard:\n\n```\nskill-scanner\n```\n\nThe wizard walks you through selecting a scan target, analyzers, policy, and output format, then shows the assembled command before running it. Great for learning the CLI.\n\n```\n# Scan a single skill (core analyzers: static + bytecode + pipeline)\nskill-scanner scan /path/to/skill\n\n# Scan with behavioral analyzer (dataflow analysis)\nskill-scanner scan /path/to/skill --use-behavioral\n\n# Scan with all engines\nskill-scanner scan /path/to/skill --use-behavioral --use-llm --use-aidefense\n\n# Scan with meta-analyzer for false positive filtering\nskill-scanner scan /path/to/skill --use-llm --enable-meta\n\n# Scan with trigger analyzer for vague description checks\nskill-scanner scan /path/to/skill --use-trigger\n\n# Run LLM analyzer multiple times and keep majority-agreed findings\nskill-scanner scan /path/to/skill --use-llm --llm-consensus-runs 3\n\n# Scan multiple skills recursively\nskill-scanner scan-all /path/to/skills --recursive --use-behavioral\n\n# Scan multiple skills with cross-skill overlap detection\nskill-scanner scan-all /path/to/skills --recursive --check-overlap\n\n# Lenient mode: tolerate malformed skills instead of failing\nskill-scanner scan /path/to/skill --lenient\nskill-scanner scan-all /path/to/skills --recursive --lenient\n\n# Lenient mode with non-standard skill formats (no SKILL.md required)\nskill-scanner scan .claude/commands/deploy --lenient\nskill-scanner scan-all .claude/commands --recursive --lenient\n\n# Use a custom metadata filename instead of SKILL.md\nskill-scanner scan /path/to/skill --skill-file README.md\n\n# CI/CD: Fail build if threats found\nskill-scanner scan-all ./skills --fail-on-severity high --format sarif --output results.sarif\n\n# Generate interactive HTML report with attack correlation groups\nskill-scanner scan /path/to/skill --use-llm --enable-meta --format html --output report.html\n\n# Use custom YARA rules\nskill-scanner scan /path/to/skill --custom-rules /path/to/my-rules/\n\n# Use custom taxonomy + threat mapping profiles (JSON/YAML)\nskill-scanner scan /path/to/skill --taxonomy /path/to/taxonomy.json --threat-mapping /path/to/threat_mapping.json\n\n# VirusTotal hash scan with optional unknown-file uploads\nskill-scanner scan /path/to/skill --use-virustotal --vt-upload-files\n\n# Use a scan policy preset (strict, balanced, permissive)\nskill-scanner scan /path/to/skill --policy strict\n\n# Use a custom org policy file\nskill-scanner scan /path/to/skill --policy my_org_policy.yaml\n\n# Generate a policy file to customise\nskill-scanner generate-policy -o my_org_policy.yaml\n\n# Interactive policy configurator (TUI)\nskill-scanner configure-policy\n```\n\n**LLM provider note:** `--llm-provider`\n\ncurrently accepts `anthropic`\n\nor `openai`\n\n.\nFor Bedrock, Vertex, Azure, Gemini, and other LiteLLM backends, set provider-specific model strings and environment variables (see [LLM Analyzer docs](/cisco-ai-defense/skill-scanner/blob/main/docs/architecture/analyzers/llm-analyzer.md)).\n\n``` python\nfrom skill_scanner import SkillScanner\nfrom skill_scanner.core.analyzers import BehavioralAnalyzer\n\n# Create scanner with analyzers\nscanner = SkillScanner(analyzers=[\n    BehavioralAnalyzer(),\n])\n\n# Scan a skill\nresult = scanner.scan_skill(\"/path/to/skill\")\n\nprint(f\"Findings: {len(result.findings)}\")\nprint(f\"Max severity: {result.max_severity}\")\n\n# Note: is_safe indicates no HIGH/CRITICAL findings were detected.\n# It does not guarantee the skill is free of all risk.\nif not result.is_safe:\n    print(\"Issues detected -- review findings before deployment\")\n```\n\n| Analyzer | Detection Method | Scope | Requirements |\n|---|---|---|---|\nStatic |\nYAML + YARA patterns | All files | None |\nBytecode |\n.pyc integrity verification | Python bytecode | None |\nPipeline |\nCommand taint analysis | Shell pipelines | None |\nBehavioral |\nAST dataflow analysis | Python files | None |\nLLM |\nSemantic analysis | SKILL.md + scripts | API key |\nMeta |\nFalse positive filtering | All findings | API key |\nVirusTotal |\nHash-based malware | Binary files | API key |\nAI Defense |\nCloud-based AI | Text content | API key |\n\n| Option | Description |\n|---|---|\n`--policy` |\nScan policy: preset name (`strict` , `balanced` , `permissive` ) or path to custom YAML |\n`--use-behavioral` |\nEnable behavioral analyzer (dataflow analysis) |\n`--use-llm` |\nEnable LLM analyzer (requires API key) |\n`--llm-provider` |\nLLM provider for CLI routing: `anthropic` or `openai` |\n`--llm-consensus-runs N` |\nRun LLM analysis `N` times and keep majority-agreed findings |\n`--llm-max-tokens N` |\nMaximum output tokens for LLM responses (default: 8192) |\n`--use-virustotal` |\nEnable VirusTotal binary scanner |\n`--vt-api-key KEY` |\nProvide VirusTotal API key directly (optional) |\n`--vt-upload-files` |\nUpload unknown binaries to VirusTotal (optional) |\n`--use-aidefense` |\nEnable Cisco AI Defense analyzer |\n`--aidefense-api-url URL` |\nOverride AI Defense API URL (optional) |\n`--use-trigger` |\nEnable trigger specificity analyzer |\n`--enable-meta` |\nEnable meta-analyzer for false positive filtering |\n`--verbose` |\nInclude per-finding policy fingerprints, co-occurrence metadata, and keep meta-analyzer false positives |\n`--format` |\nOutput: `summary` , `json` , `markdown` , `table` , `sarif` , `html` . The `html` format produces a self-contained interactive report with collapsible correlation groups, expandable code snippets, and pipeline taint flow diagrams |\n`--detailed` |\nInclude detailed findings in Markdown output |\n`--compact` |\nCompact JSON output |\n`--output PATH` |\nDefault output file path (overridden by `--output-<fmt>` ) |\n`--fail-on-findings` |\nExit with error if HIGH/CRITICAL found (shorthand for `--fail-on-severity high` ) |\n`--fail-on-severity LEVEL` |\nExit with error if findings at or above LEVEL exist (critical, high, medium, low, info) |\n`--custom-rules PATH` |\nUse custom YARA rules from directory |\n`--taxonomy PATH` |\nLoad custom taxonomy profile (JSON/YAML) for this run |\n`--threat-mapping PATH` |\nLoad custom scanner threat mapping profile (JSON) for this run |\n`--lenient` |\nTolerate malformed skills (coerce bad fields, fill defaults) instead of failing. When `SKILL.md` is absent, falls back to scanning `.md` files in the directory |\n`--skill-file FILENAME` |\nCustom metadata filename to use instead of `SKILL.md` (e.g. `README.md` ) |\n`--check-overlap` |\n(`scan-all` ) Enable cross-skill description overlap checks |\n\n| Command | Description |\n|---|---|\n(no command) |\nLaunch interactive scan wizard (when run in a terminal) |\n`interactive` |\nLaunch interactive scan wizard (explicit) |\n`scan` |\nScan a single skill directory |\n`scan-all` |\nScan multiple skills (with `--recursive` , `--check-overlap` ) |\n`generate-policy` |\nGenerate a scan policy YAML for customisation |\n`configure-policy` |\nInteractive TUI to build/edit a custom scan policy (`--input` supported) |\n`list-analyzers` |\nShow available analyzers |\n`validate-rules` |\nValidate rule signatures (`--rules-file` supported) |\n\n``` bash\n$ skill-scanner scan ./my-skill --use-behavioral\n\n============================================================\nSkill: my-skill\n============================================================\nStatus: [OK] No findings\nMax Severity: NONE\nTotal Findings: 0\nScan Duration: 0.15s\n```\n\nNote:\"No findings\" means the scanner did not detect any known threat patterns -- it is not a guarantee that the skill is free of all risk. See[Scope and Limitations].\n\nScan skills automatically on every push or PR using the [reusable workflow](/cisco-ai-defense/skill-scanner/blob/main/docs/github-actions.md):\n\n```\n# .github/workflows/scan-skills.yml\nname: Scan Skills\non:\n  pull_request:\n    paths: [\".cursor/skills/**\"]\njobs:\n  scan:\n    uses: cisco-ai-defense/skill-scanner/.github/workflows/scan-skills.yml@main\n    with:\n      skill_path: .cursor/skills\n    permissions:\n      security-events: write\n      contents: read\n```\n\nResults appear as inline annotations in PRs via GitHub Code Scanning. See the [full guide](/cisco-ai-defense/skill-scanner/blob/main/docs/github-actions.md) for LLM integration, secret configuration, and branch protection setup.\n\nScan skills before every commit using the [pre-commit](https://pre-commit.com/) framework:\n\n```\n# .pre-commit-config.yaml\nrepos:\n  - repo: https://github.com/cisco-ai-defense/skill-scanner\n    rev: v1.0.0  # use the latest release tag\n    hooks:\n      - id: skill-scanner\n```\n\nOr install the built-in hook directly:\n\n```\nskill-scanner-pre-commit install\n```\n\nThe hook automatically detects which skill directories have staged changes and only scans those, keeping commit times fast. Use `--all`\n\nto scan everything.\n\nWe welcome contributions! Please see [CONTRIBUTING.md](/cisco-ai-defense/skill-scanner/blob/main/CONTRIBUTING.md) for guidelines.\n\nApache 2.0 - See [LICENSE](/cisco-ai-defense/skill-scanner/blob/main/LICENSE) for details.\n\nCopyright 2026 Cisco Systems, Inc. and its affiliates", "url": "https://wpnews.pro/news/cisco-ai-defense-skill-scanner", "canonical_source": "https://github.com/cisco-ai-defense/skill-scanner", "published_at": "2026-06-24 06:44:16+00:00", "updated_at": "2026-06-24 07:13:55.220663+00:00", "lang": "en", "topics": ["ai-safety", "ai-tools", "ai-agents", "large-language-models", "developer-tools"], "entities": ["Cisco", "OpenAI", "Cursor", "GitHub", "AI Defense Skill Scanner", "Codex", "Agent Skills"], "alternates": {"html": "https://wpnews.pro/news/cisco-ai-defense-skill-scanner", "markdown": "https://wpnews.pro/news/cisco-ai-defense-skill-scanner.md", "text": "https://wpnews.pro/news/cisco-ai-defense-skill-scanner.txt", "jsonld": "https://wpnews.pro/news/cisco-ai-defense-skill-scanner.jsonld"}}