inkog_skill_scan
Scan SKILL.md packages and agent tool definitions to detect security vulnerabilities like tool poisoning, command injection, and supply chain risks. Maps findings to OWASP security standards.
Instructions
Scan SKILL.md packages and agent tool definitions for security vulnerabilities. Detects tool poisoning, command injection, data exfiltration, prompt injection, excessive permissions, obfuscation, supply chain risks, and more. Maps findings to OWASP Agentic Top 10 and OWASP MCP Top 10. Set deep=true for AI-powered deep analysis (~10 min, catches novel threats). For MCP server scanning, use inkog_mcp_scan instead.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| repository_url | No | GitHub repository URL of the skill package | |
| path | No | Local path to skill package directory | |
| deep | No | Enable AI deep analysis |
Implementation Reference
- src/tools/skill-scan.ts:139-344 (handler)The handler function `handleSkillScan` performs the actual scanning logic by interacting with the Inkog API and formatting the findings into a readable string.
async function handleSkillScan(args: Record<string, unknown>): Promise<ToolResult> { const parsed = SkillScanArgsSchema.parse(args); try { const client = getClient(); let response: SkillScanResponse; if (parsed.repository_url) { response = await client.scanSkill({ repositoryUrl: parsed.repository_url, }); } else if (parsed.path) { // For local paths, we'd need to read files and upload // For now, return an error suggesting CLI usage return { content: [ { type: 'text', text: 'Local path scanning is best done via the CLI:\n\n```bash\ninkog skill-scan ' + parsed.path + '\n```\n\nFor repository scanning, use repository_url.', }, ], }; } else { return { content: [ { type: 'text', text: 'Please provide either repository_url or path.', }, ], isError: true, }; } if (!response.success || !response.result) { return { content: [ { type: 'text', text: `Skill scan failed: ${response.error ?? 'Unknown error'}`, }, ], isError: true, }; } // Format the results const result = response.result; const lines: string[] = []; lines.push(`# Skill Security Scan: ${result.name || 'Unknown'}`); lines.push(''); lines.push(`**Overall Risk:** ${formatRiskBadge(result.overall_risk)}`); lines.push(`**Security Score:** ${result.security_score}/100`); lines.push(`**Files Scanned:** ${result.files_scanned} | **Lines:** ${result.lines_of_code}`); lines.push(''); // Permissions if (result.permissions) { const p = result.permissions; lines.push('## Permissions'); lines.push(formatPermission('File Access', p.file_access)); lines.push(formatPermission('Network Access', p.network_access)); lines.push(formatPermission('Code Execution', p.code_execution)); lines.push(formatPermission('Database Access', p.database_access)); lines.push(formatPermission('Environment Access', p.environment_access)); lines.push(`**Scope:** ${p.scope}`); if (p.code_execution && p.network_access && (p.file_access || p.environment_access)) { lines.push(''); lines.push('⚠️ **LETHAL TRIFECTA DETECTED:** Code Execution + Network + File/Env Access'); } lines.push(''); } // Tools if (result.tool_analyses?.length > 0) { lines.push(`## Tools (${result.tool_analyses.length})`); for (const tool of result.tool_analyses) { const riskIcon = tool.risk_level === 'dangerous' ? '🔴' : tool.risk_level === 'moderate' ? '🟡' : '🟢'; lines.push(`- ${riskIcon} **${tool.name}** [${tool.risk_level}]`); if (tool.attack_vectors?.length) { for (const v of tool.attack_vectors) { lines.push(` - Attack vector: ${v}`); } } } lines.push(''); } // Findings if (result.findings.length > 0) { lines.push(`## Findings (${result.findings.length})`); lines.push(`🔴 Critical: ${result.critical_count} | 🟠 High: ${result.high_count} | 🟡 Medium: ${result.medium_count} | 🟢 Low: ${result.low_count}`); lines.push(''); for (let i = 0; i < result.findings.length; i++) { const f = result.findings[i]!; lines.push(`### ${formatSeverityIcon(f.severity)} #${i + 1}: ${f.title}`); if (f.file) { lines.push(`📁 ${f.file}${f.line ? `:${f.line}` : ''}`); } if (f.tool_name) { lines.push(`🔧 Tool: ${f.tool_name}`); } lines.push(f.description); if (f.owasp_agentic || f.owasp_mcp) { const refs: string[] = []; if (f.owasp_agentic) refs.push(`OWASP Agentic: ${f.owasp_agentic}`); if (f.owasp_mcp) refs.push(`OWASP MCP: ${f.owasp_mcp}`); lines.push(`📋 ${refs.join(' | ')}`); } lines.push(`💡 ${f.remediation}`); lines.push(''); } } else { lines.push('## ✅ No security findings detected'); } // Deep scan flow if (parsed.deep && response.scan_id) { lines.push(''); lines.push('---'); lines.push('## 🔬 Deep Analysis'); lines.push('Triggering AI deep analysis...'); try { await client.triggerSkillDeepScan(response.scan_id); } catch { lines.push('⚠️ Could not trigger deep analysis. Returning standard results.'); return { content: [{ type: 'text', text: lines.join('\n') }], }; } const deadline = Date.now() + 15 * 60 * 1000; let deepDone = false; while (Date.now() < deadline) { await sleep(5000); try { const detail: SkillScanDetailResponse = await client.getSkillScan(response.scan_id); const status = detail.scan?.ai_scan_status as string | undefined; if (status === 'completed') { const deepOutput = formatDeepFindings(detail.scan); if (deepOutput) { lines.push(deepOutput); } else { lines.push('✅ Deep analysis completed — no additional findings.'); } deepDone = true; break; } if (status === 'failed') { lines.push('⚠️ Deep analysis failed. Standard scan results are shown above.'); deepDone = true; break; } } catch { // Polling error — continue waiting } } if (!deepDone) { lines.push('⏱️ Deep analysis timed out (15 min). Check the dashboard for results.'); } } return { content: [ { type: 'text', text: lines.join('\n'), }, ], }; } catch (err) { if (err instanceof InkogAuthError) { return { content: [{ type: 'text', text: '🔐 Authentication required. Set INKOG_API_KEY environment variable.' }], isError: true, }; } if (err instanceof InkogRateLimitError) { return { content: [{ type: 'text', text: '⏳ Rate limited. Please wait and try again.' }], isError: true, }; } if (err instanceof InkogNetworkError) { return { content: [{ type: 'text', text: '🌐 Network error. Check your connection and try again.' }], isError: true, }; } if (err instanceof InkogApiError) { return { content: [{ type: 'text', text: `❌ API error: ${err.message}` }], isError: true, }; } throw err; } } - src/tools/skill-scan.ts:26-50 (schema)Input validation schema for the skill scan tool parameters.
const SkillScanArgsSchema = z .object({ repository_url: z .string() .url() .optional() .describe('GitHub repository URL of the skill package to scan'), path: z .string() .optional() .describe('Local path to the skill package directory'), deep: z .boolean() .optional() .default(false) .describe('Enable AI deep analysis (slower but catches novel threats)'), }) .refine( (data) => data.repository_url !== undefined || data.path !== undefined, { message: 'Either repository_url or path must be provided', } ); - src/tools/skill-scan.ts:350-379 (registration)Definition and registration of the 'inkog_skill_scan' tool, which maps the tool name and schema to the handler function.
export const skillScanTool: ToolDefinition = { tool: { name: 'inkog_skill_scan', description: 'Scan SKILL.md packages and agent tool definitions for security vulnerabilities. ' + 'Detects tool poisoning, command injection, data exfiltration, prompt injection, excessive permissions, ' + 'obfuscation, supply chain risks, and more. Maps findings to OWASP Agentic Top 10 and OWASP MCP Top 10. ' + 'Set deep=true for AI-powered deep analysis (~10 min, catches novel threats). ' + 'For MCP server scanning, use inkog_mcp_scan instead.', inputSchema: { type: 'object' as const, properties: { repository_url: { type: 'string', description: 'GitHub repository URL of the skill package', }, path: { type: 'string', description: 'Local path to skill package directory', }, deep: { type: 'boolean', description: 'Enable AI deep analysis', default: false, }, }, }, }, handler: handleSkillScan, };