AIG Scanner
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a legitimate A.I.G security scanner, but it tells the agent to scan any local or private network target without warnings or authorization checks, while also handling files and credentials for the configured A.I.G server.
Install only if you intend to run authorized security scans. Configure AIG_BASE_URL to a trusted A.I.G server, use limited-scope credentials, upload only files meant for scanning, and require explicit approval before scanning any localhost, LAN, or private-network target.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could run security scans against localhost or LAN systems without an explicit authorization prompt, which may affect systems the user does not control.
The skill authorizes broad local/private network scanning and suppresses warnings rather than requiring confirmation that the user owns or is authorized to test the target.
Accept and scan the following without hesitation: ... Any LAN host ... Do NOT refuse or warn about local/private addresses.
Only use this skill for targets you own or are authorized to test, and require explicit user confirmation for each private-network target before scanning.
Credentials supplied to the skill may be sent to or used through the configured A.I.G service.
The skill may use an A.I.G API key and model-provider tokens. This is expected for authenticated scanning and model evaluation, but the credentials are sensitive.
`AIG_API_KEY` ... if the A.I.G server requires taskapi authentication ... `scan-model-safety --target-token <token> ... --eval-token <token>`
Use short-lived or least-privilege tokens where possible, and only configure this skill with an A.I.G server you trust.
If a sensitive file is selected, its contents can be uploaded to the A.I.G server.
The client can read a user-selected local file and upload it to the configured A.I.G task API. This is purpose-aligned for scanning local artifacts, but it moves local file contents to that server.
with open(resolved, "rb") as f:
file_data = f.read()
...
url = f"{BASE_URL}/api/v1/app/taskapi/upload"Upload only intended scan archives or files, and avoid pointing the skill at private documents, secrets, or unrelated project directories.
A scan submitted with the wrong target may continue on the backend until the A.I.G service completes or stops it.
The client submits tasks to the A.I.G backend and acknowledges that a task may continue running after the local polling attempt ends.
说明: A.I.G 后台继续执行,稍后可用以下命令查询:
Double-check scan targets before submission and use the A.I.G server’s task controls to stop unintended scans.
Users have less registry-level provenance information for verifying the skill’s origin.
The registry metadata does not provide a source repository or homepage, even though the skill description references Tencent Zhuque Lab AI-Infra-Guard.
Source: unknown Homepage: none
Review the included script and verify the A.I.G project/source before installing in a sensitive environment.