AIclude Security Scanner
PassAudited by ClawScan on May 1, 2026.
Overview
This is a disclosed external vulnerability lookup/scanner that sends target names to AICLUDE and may register scans, with no local code or credential access shown.
This skill appears appropriate for looking up or requesting vulnerability scans of MCP servers and agent skills. Before installing or using it, be aware that target names are sent to AICLUDE, missing reports may trigger automatic server-side scans, and results may be visible on the AICLUDE dashboard. Avoid submitting private/internal package names unless that sharing is acceptable.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you scan a private or internal package name, that name and target type may be shared with AICLUDE.
The skill clearly discloses an external provider data flow. Even though it is purpose-aligned and limited, submitted package or repository names leave the local environment.
Sends the package name to the AICLUDE scan API ... Only the package name and type are sent. No source code or credentials are transmitted.
Use it for public or non-sensitive targets unless you are comfortable sharing the package or repository name with AICLUDE.
A typo or sensitive target name could be submitted for server-side scanning and recorded by the service.
Invoking the command can create a remote scan job, not just read an existing report. This is disclosed and aligned with the scanner purpose, but it is an automatic external action.
If no report exists, the target is registered and scanned automatically.
Confirm the target name and type before invoking the command, especially for internal or private projects.
Scan results for a submitted target may remain available through AICLUDE’s dashboard.
Scan output may persist in and be visible through an external dashboard. This is relevant because submitted targets and resulting reports may propagate beyond the immediate chat session.
Results are also viewable at https://vs.aiclude.com
Avoid submitting private or sensitive package names unless the service’s visibility and retention model are acceptable to you.
Manual npm installation would introduce code that is not represented by the instruction-only runtime path described in the registry metadata.
The reviewed registry entry is described as instruction-only, but the README points to a separate npm package installation path. There is no evidence this skill auto-installs it, but users manually following the README would be trusting that package.
npm install @aiclude/security-skill
If installing the npm package separately, verify the package publisher, version, repository, and package contents before use.