Skill files used in AI Agent development and CI/CD pipelines may contain malicious scripts, risky configurations, or prompt injections that are difficult to review manually at scale. Skills detection scans Skill files and their associated content through the SDK, automatically intercepting supply chain risks before deployment. You can view detection results and handle risks in the console.
Overview
Skills detection is a security scanning component for the AI Agent ecosystem that integrates into your development workflow or security operations platform through SDK or API. Unlike traditional code scanning tools, it focuses on Agent Skill supply chain security — specifically targeting dangerous commands, data exfiltration, prompt injection, privilege escalation, unsafe configurations, and sensitive information exposure in Skill.md files. For common identifiable risks, see Typical identifiable risks.
Detection capabilities
-
Malicious file detection: Combines external threat intelligence, malicious signatures, and suspicious script behavior to identify potential malicious files, backdoors, persistence logic, and resource abuse behavior in Skills.
-
Sensitive information detection: Uses rule matching and contextual analysis to detect risks of hardcoded API keys, AccessKey pairs, database credentials, private keys, Bearer tokens, and cloud provider credentials.
-
Skills poisoning and prompt attack detection: Detects Prompt Injection attacks carried out through malicious Skill injection, preventing attackers from using Skill distribution channels to tamper with Agent behavior, steal sensitive information, or execute unauthorized operations.
-
LLM deep intent analysis: Uses an LLM to analyze the overall behavioral intent of a Skill, identifying combined risks, contextual risks, and covert attack chains that rule-based detection alone cannot cover. For details, see LLM deep intent analysis coverage.
Context-aware precision detection
Skills detection leverages context to achieve high-confidence risk identification.
-
DevOps exemption: Automatically identifies routine commands in DevOps, build, and test scripts to avoid misclassifying legitimate operations as malicious behavior.
-
Non-sensitive content filtering: Environment variable placeholders, example configurations (such as
.env.example), and documentation notes are semantically distinguished to filter out non-real credentials. -
Legitimate behavior noise reduction: For public API calls, clearly specified upload targets, and standard tool usage, risk weights are reduced based on context.
-
Dynamic risk classification: Privilege escalation and insecure configurations are classified as low-priority by default. Alerts are escalated only when associated with high-risk scenarios such as data exfiltration, backdoor implantation, or malicious execution.
-
Precise intent recognition: During prompt interactions, security education and risk disclosure documents are strictly distinguished from real attack instructions to ensure that only malicious intent triggers interception.
Use cases
-
AI Agent application development: Detect malicious commands and prompt injections in Skill.md files during the development phase to ensure Skills come from trusted sources and contain safe instructions.
-
CI/CD security scanning: Integrate Skills detection into your CI/CD pipeline for automated security scanning during continuous integration and delivery.
-
Security Operations Center (SOC) integration: Connect Skills detection to your SOC platform for continuous monitoring of the Agent ecosystem. Detections can be unified into your security event management workflow.
Billing
Skills SDK detection is a standalone pay-as-you-go service. Billing rules:
-
Billing unit: Charged per file. Each Skill file scanned counts as 1 unit.
-
Cumulative billing: If a single API call submits multiple files, you are billed for the total number of files.
Example: Submitting 10 files in one API call is billed as 10 units.
-
Billing condition: Charges apply only when the detection task completes successfully. No charge is applied if the file upload or detection task fails.
-
Unit price: CNY 10 per unit.
Plan your usage based on actual detection needs to keep costs within budget.
Activate Skills detection
-
Access the Security Center console - Agent Security Center - Agent Risks. In the upper-left corner of the page, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.
-
On the Check tab, click Activate Now in the upper-right corner.
Upload Skill files
Agent Security Center supports uploading Skill files for risk detection only through SDK integration by calling the CreateSkillFileCheck API. Multi-language SDKs are available for Java, Python, and Go.
Install the SDK
Java
Prerequisites
Requires Java 8 or later.
Installation
Add the following dependency to your Maven project:
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>aisc20260101</artifactId>
<version>1.0.1</version>
</dependency>
We recommend using the latest version. For version details, see SDK Reference.
Python
Prerequisites
Requires Python 3.7 or later.
Installation
pip install alibabacloud_aisc20260101==1.0.1
We recommend using the latest version. For version details, see SDK Reference.
Go
Prerequisites
-
Go version must be 1.10.x or later.
-
Install the OpenAPI core library:
go get github.com/alibabacloud-go/darabonba-openapi/v2/client
Installation
go get github.com/alibabacloud-go/aisc-20260101
We recommend using the latest version. For version details, see SDK Reference.
Configure credentials
For more credential configuration methods, see Manage credentials.
AccessKey
By default, your Alibaba Cloud account has Administrator permissions for all resources and this cannot be modified. For security, we recommend creating an AccessKey for a RAM user and granting only the minimum required permissions.
-
Create an AccessKey:
-
Log on to the RAM console. On the page, click the target RAM user name. If no RAM user exists, Create a RAM user first.
-
On the Authentication tab, in the AccessKey section, click Create AccessKey and follow the prompts to complete creation.
-
-
Create a policy:
-
Go to the Permissions > Policies page and click Create Policy.
-
Select the JSON tab and enter the following content, then click OK.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "yundun-aisc:CreateSkillFileCheck", "yundun-aisc:List*" ], "Resource": "*" } ] } -
In the Create Policy dialog box, enter a Policy Name and click OK.
-
-
Attach the policy: Click Grant Permission in the Actions column of the RAM user to attach the policy created in the previous step. For details, see Manage RAM user permissions.
ECS RAM role
An ECS RAM role is a service role with Alibaba Cloud ECS as the trusted service. It lets you obtain a temporary access credential (STS token) from within the ECS instance without configuring an AccessKey, enabling calls to the Agent Security Center OpenAPI.
-
Create an ECS RAM role and bind it to an ECS instance:
-
Log on to the RAM console and create a RAM role with the trusted entity set to Alibaba Cloud Service. For details, see Instance RAM roles.
-
Trusted entity type: Select Elastic Compute Service.
-
Trusted entity name: Select ECS.
-
-
Log on to the ECS console and grant the RAM role to the target ECS instance.

-
-
Create a policy:
-
Go to the Permissions > Policies page and click Create Policy.
-
Select the JSON tab and enter the following content, then click OK.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "yundun-aisc:CreateSkillFileCheck", "yundun-aisc:List*" ], "Resource": "*" } ] } -
In the Create Policy dialog box, enter a Policy Name and click OK.
-
-
Attach the policy: Click Grant Permission in the Actions column of the ECS RAM role to attach the policy created in the previous step.
AccessKey + RamRoleArn
A RAM user or cloud service can assume a role to obtain temporary permissions (STS token) instead of using long-term keys, reducing the risk of key exposure. For example, a RAM user can temporarily assume a role with a specific RamRoleArn for a data processing task, and the role permissions are revoked after the task completes.
-
Create an AccessKey:
-
Log on to the RAM console. On the page, click the target RAM user name. If no RAM user exists, Create a RAM user first.
-
Click Grant Permission in the Actions column of the RAM user to assign the system policy
AliyunSTSAssumeRoleAccessor a custom policy that includes thests:AssumeRolepermission. -
On the Authentication tab, in the AccessKey section, click Create AccessKey and follow the prompts to complete creation.
-
-
Create a policy:
-
Go to the Permissions > Policies page and click Create Policy.
-
Select the JSON tab and enter the following content, then click OK.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "yundun-aisc:CreateSkillFileCheck", "yundun-aisc:List*" ], "Resource": "*" } ] } -
In the Create Policy dialog box, enter a Policy Name and click OK.
-
-
Create a RAM role and grant permissions:
-
On the page, click Create Role. For details, see Create a RAM role.
-
Click Grant Permission in the Actions column of the RAM role to attach the policy created in the previous step.
-
-
Obtain the RamRoleArn: Click the name of the role created in the previous step to go to the role details page. In the ARN section, you can view the RamRoleArn. For details, see View a RAM role.
NoteThe RamRoleArn is the ARN of the RAM role — the role ID to be assumed. The format is
acs:ram::$accountID:role/$roleName, where$accountIDis the Alibaba Cloud account ID and$roleNameis the RAM role name.
Get the endpoint
The endpoint format is aisc.[RegionId].aliyuncs.com. For the specific address, see Endpoints.
Call the API
The following code examples for uploading Skill files for detection all use AccessKey as the authentication credential.
Replace the #download_url# placeholder in the code with the publicly accessible URL of your Skill file. We recommend uploading the Skill file to Alibaba Cloud OSS or similar object storage and using a signed URL or public read URL as the DownloadUrl.
package com.aliyun.sample;
import com.aliyun.tea.*;
public class Sample {
public static com.aliyun.aisc20260101.Client createClient() throws Exception {
// We recommend using credential methods that do not use an AK. For more information, see https://help.aliyun.com/document_detail/378657.html.
com.aliyun.credentials.models.Config credentialConfig = new com.aliyun.credentials.models.Config();
credentialConfig.setType("access_key");
// Required. Use environment variables to avoid hardcoding credentials.
credentialConfig.setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"));
// Required. Use environment variables to avoid hardcoding credentials.
credentialConfig.setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
com.aliyun.credentials.Client credential = new com.aliyun.credentials.Client(credentialConfig);
com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config()
.setCredential(credential);
// For endpoints, see https://api.aliyun.com/product/AISC
config.endpoint = "aisc.[RegionId].aliyuncs.com";
return new com.aliyun.aisc20260101.Client(config);
}
public static void main(String[] args_) throws Exception {
com.aliyun.aisc20260101.Client client = Sample.createClient();
// Replace #DownloadUrl# with the public URL of the Skill file and #FileName# with the file name
com.aliyun.aisc20260101.models.CreateSkillFileCheckRequest.CreateSkillFileCheckRequestFiles files0 = new com.aliyun.aisc20260101.models.CreateSkillFileCheckRequest.CreateSkillFileCheckRequestFiles()
.setDownloadUrl("#DownloadUrl#")
.setFileName("#FileName#");
com.aliyun.aisc20260101.models.CreateSkillFileCheckRequest createSkillFileCheckRequest = new com.aliyun.aisc20260101.models.CreateSkillFileCheckRequest()
.setFiles(java.util.Arrays.asList(files0));
com.aliyun.teautil.models.RuntimeOptions runtime = new com.aliyun.teautil.models.RuntimeOptions();
try {
com.aliyun.aisc20260101.models.CreateSkillFileCheckResponse resp = client.createSkillFileCheckWithOptions(createSkillFileCheckRequest, runtime);
System.out.println(new com.google.gson.Gson().toJson(resp));
} catch (TeaException error) {
System.out.println(error.getMessage());
if (error.getData() != null) {
System.out.println(error.getData().get("Recommend"));
}
} catch (Exception _error) {
TeaException error = new TeaException(_error.getMessage(), _error);
System.out.println(error.getMessage());
if (error.getData() != null) {
System.out.println(error.getData().get("Recommend"));
}
}
}
}# -*- coding: utf-8 -*-
import os
import sys
import json
from typing import List
from alibabacloud_aisc20260101.client import Client as AISC20260101Client
from alibabacloud_credentials.client import Client as CredentialClient
from alibabacloud_credentials.models import Config as CredentialConfig
from alibabacloud_tea_openapi import models as open_api_models
from alibabacloud_aisc20260101 import models as aisc20260101_models
from alibabacloud_tea_util import models as util_models
from alibabacloud_tea_util.client import Client as UtilClient
class Sample:
def __init__(self):
pass
@staticmethod
def create_client() -> AISC20260101Client:
# We recommend using credential methods that do not use an AK. For more information, see https://help.aliyun.com/document_detail/378659.html.
credentialsConfig = CredentialConfig(
type='access_key',
# Required. Use environment variables to avoid hardcoding credentials.
access_key_id=os.environ.get('ALIBABA_CLOUD_ACCESS_KEY_ID'),
# Required. Use environment variables to avoid hardcoding credentials.
access_key_secret=os.environ.get('ALIBABA_CLOUD_ACCESS_KEY_SECRET')
)
credential = CredentialClient(credentialsConfig)
config = open_api_models.Config(
credential=credential
)
# For endpoints, see https://api.aliyun.com/product/AISC
config.endpoint = f'aisc.[RegionId].aliyuncs.com'
return AISC20260101Client(config)
@staticmethod
def main(
args: List[str],
) -> None:
# Replace #download_url# with the public URL of the Skill file and #file_name# with the file name
client = Sample.create_client()
files_0 = aisc20260101_models.CreateSkillFileCheckRequestFiles(
download_url='#download_url#',
file_name='#file_name#'
)
create_skill_file_check_request = aisc20260101_models.CreateSkillFileCheckRequest(
files=[
files_0
]
)
runtime = util_models.RuntimeOptions()
try:
resp = client.create_skill_file_check_with_options(create_skill_file_check_request, runtime)
print(json.dumps(resp, default=str, indent=2))
except Exception as error:
# Error message
if hasattr(error, 'message'):
print(error.message)
# Recommendation URL
if hasattr(error, 'data') and error.data:
print(error.data.get("Recommend"))
@staticmethod
async def main_async(
args: List[str],
) -> None:
client = Sample.create_client()
files_0 = aisc20260101_models.CreateSkillFileCheckRequestFiles(
download_url='#download_url#',
file_name='#file_name#'
)
create_skill_file_check_request = aisc20260101_models.CreateSkillFileCheckRequest(
files=[
files_0
]
)
runtime = util_models.RuntimeOptions()
try:
resp = await client.create_skill_file_check_with_options_async(create_skill_file_check_request, runtime)
print(json.dumps(resp, default=str, indent=2))
except Exception as error:
# Error message
if hasattr(error, 'message'):
print(error.message)
# Recommendation URL
if hasattr(error, 'data') and error.data:
print(error.data.get("Recommend"))
if __name__ == '__main__':
Sample.main(sys.argv[1:])package main
import (
"encoding/json"
"strings"
"fmt"
"os"
aisc20260101 "github.com/alibabacloud-go/aisc-20260101/client"
openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
util "github.com/alibabacloud-go/tea-utils/v2/service"
credential "github.com/aliyun/credentials-go/credentials"
"github.com/alibabacloud-go/tea/tea"
)
func CreateClient() (_result *aisc20260101.Client, _err error) {
// We recommend using credential methods that do not use an AK. For more information, see credential methods.
credentialsConfig := new(credential.Config).
SetType("access_key").
SetAccessKeyId(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")).
SetAccessKeySecret(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"))
credential, _err := credential.NewCredential(credentialsConfig)
if _err != nil {
return _result, _err
}
config := &openapi.Config{
Credential: credential,
}
// For endpoints, see https://api.aliyun.com/product/AISC
config.Endpoint = tea.String("aisc.[RegionId].aliyuncs.com")
_result = &aisc20260101.Client{}
_result, _err = aisc20260101.NewClient(config)
return _result, _err
}
func _main(args []*string) (_err error) {
client, _err := CreateClient()
if _err != nil {
return _err
}
// Replace #download_url# with the public URL of the Skill file and #file_name# with the file name
files0 := &aisc20260101.CreateSkillFileCheckRequestFiles{
DownloadUrl: tea.String("#download_url#"),
FileName: tea.String("#file_name#"),
}
createSkillFileCheckRequest := &aisc20260101.CreateSkillFileCheckRequest{
Files: []*aisc20260101.CreateSkillFileCheckRequestFiles{files0},
}
runtime := &util.RuntimeOptions{}
tryErr := func() (_e error) {
defer func() {
if r := tea.Recover(recover()); r != nil {
_e = r
}
}()
resp, _err := client.CreateSkillFileCheckWithOptions(createSkillFileCheckRequest, runtime)
if _err != nil {
return _err
}
fmt.Printf("[LOG] %v\n", resp)
return nil
}()
if tryErr != nil {
var error = &tea.SDKError{}
if _t, ok := tryErr.(*tea.SDKError); ok {
error = _t
} else {
error.Message = tea.String(tryErr.Error())
}
// Error message
fmt.Println(tea.StringValue(error.Message))
// Recommendation URL
var data interface{}
d := json.NewDecoder(strings.NewReader(tea.StringValue(error.Data)))
d.Decode(&data)
if m, ok := data.(map[string]interface{}); ok {
recommend, _ := m["Recommend"]
fmt.Println(recommend)
}
}
return _err
}
func main() {
err := _main(tea.StringSlice(os.Args[1:]))
if err != nil {
panic(err)
}
}View detection results and API usage
After you upload Skill files through the SDK, the system automatically scans them and performs risk analysis. Results are displayed in the Agent Security Center console.
-
Access the Security Center console - Agent Security Center - Agent Risks. In the upper-left corner of the page, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.
-
On the Check tab, you can view the file risk data.
-
Statistics fields:
Field
Description
Used Quotas
The cumulative total number of Skill files submitted for detection across your account (this is the billing basis — each file counts as 1 unit).
Unprocessed Files
The number of Skill files that have been submitted for detection, contain risks, and have not yet been handled.
Unhandled Risk Severity
The distribution of unprocessed files by risk level: high, medium, and low.
-
Detection task list fields:
Field
Description
Risk Level
The risk level of the detection result: High (Critical/High), Medium, or Low. For the classification criteria, see Risk levels.
File Name
The name of the Skill file submitted for detection.
SHA256
The SHA256 hash of the file, used to uniquely identify the file content.
Scenario
The method by which the detection was triggered. Currently, only SDK is supported.
First Detected At
The time when the risk was first detected in this file.
Last Scan Time
The time when this file was most recently detected.
Status
The risk handling status: Unprocessed (pending handling) or Ignored (manually marked as ignored).
-
Handle risks
-
On the Check tab, click Details in the Actions column of the target file.
-
On the risk details page, choose an appropriate action based on the analysis in the Threat Description section.
-
Manual fix: Follow the remediation suggestions in the Solution section and manually fix the issue in the AI Agent where the Skill.md file resides.
-
Ignore: If the risk is within an acceptable range, click Ignore in the lower-left corner. After the operation, the Status changes to Ignored.
-
Limitations
-
The Skills detection API has a default rate limit of 10 calls per second. To increase the quota, contact your sales manager.
-
The Skill.md file size for a single detection must not exceed 1 MB.
FAQ
-
How do I troubleshoot AccessKey configuration errors?
If the SDK returns an
InvalidAccessKeyIdorAccessKeyDisablederror, check the following:-
Confirm that the AccessKey ID and AccessKey Secret are correctly entered without extra spaces or line breaks.
-
Confirm that the AccessKey status is Enabled. Check the key status in the RAM console.
-
We recommend configuring credentials through environment variables
ALIBABACLOUD_ACCESS_KEY_IDandALIBABACLOUD_ACCESS_KEY_SECRETto avoid hardcoding them in source code.
-
-
How do I handle API rate limit exceeded errors?
If you receive a
Throttling.Usererror, the current call frequency has exceeded the API rate limit threshold (default: 10 calls/second). To resolve this:-
Add retry logic with an exponential backoff strategy (initial wait of 1 second, doubling each retry, with a maximum of 3 retries).
-
To increase the call frequency, contact your sales manager to request a higher quota.
-
Appendix
Risk levels
|
Risk level |
Description |
|
Critical |
May cause severe consequences such as system crashes, complete data loss, exposure of production credentials, or remote control. |
|
High |
May cause high-risk consequences such as data corruption, exposure of non-production credentials, major security bypasses, or permission abuse. |
|
Medium |
May cause information disclosure, development environment risks, or recoverable data or configuration issues. |
|
Low |
Lower risk, commonly found in normal Skill development scenarios. Requires contextual judgment to determine severity. |
LLM deep intent analysis coverage
The LLM deep intent analysis currently covers 6 categories and 46 check items.
|
Category |
Number of check items |
Core detection targets |
|
Dangerous commands |
12 |
Destructive file deletion, disk operations, process termination, system shutdown, destructive database operations, destructive Git operations, package tampering, reverse shells, resource abuse, persistent backdoors, unsafe code injection, SQL injection / path traversal. |
|
Data exfiltration |
7 |
Outbound data transfer, credential file access, SSH key exfiltration, environment variable theft, clipboard / screenshot exfiltration, encoded data exfiltration, Agent context leakage. |
|
Prompt injection |
8 |
Direct instruction override, obfuscated instructions, indirect manipulation, meta instruction attacks, role switching, user deception, tool description injection, system prompt leakage. |
|
Privilege escalation |
5 |
Privilege escalation, sandbox bypass, security feature bypass, system configuration modification, permission relaxation. |
|
Unsafe configuration |
6 |
Dangerous tools without confirmation, missing confirmation requirements, overly permissive permissions, unsafe tool configurations, unsafe default behavior, MCP least privilege violation. |
|
Sensitive information exposure |
8 |
Hardcoded API keys, hardcoded access keys, hardcoded secrets, hardcoded passwords, hardcoded database credentials, hardcoded private keys, hardcoded Bearer tokens, hardcoded cloud credentials. |
Typical identifiable risks
|
Risk category |
Typical characteristics |
|
Destructive commands |
Destructive operations such as |
|
Credential theft |
Reading |
|
Obfuscated instructions |
Obfuscation techniques such as Base64, Hex, ROT13, zero-width characters, and Unicode homoglyphs. |
|
Reverse shell |
Reverse shell or remote control commands such as |
|
Persistent backdoor |
Writing to persistence mechanisms such as |
|
Prompt injection |
Injection patterns such as |
|
MCP tool injection |
Hidden instructions or permission induction in MCP tool descriptions, parameter schemas, and default values. |
|
Privilege escalation |
Permission relaxation operations such as |
|
Unsafe configuration |
Unsafe configurations such as |
|
Hardcoded credentials |
Hardcoded credential patterns such as |