Skills detection

更新时间:
复制 MD 格式

Skill files used in AI Agent development and CI/CD pipelines may contain malicious scripts, risky configurations, or prompt injections that are difficult to review manually at scale. Skills detection scans Skill files and their associated content through the SDK, automatically intercepting supply chain risks before deployment. You can view detection results and handle risks in the console.

Overview

Skills detection is a security scanning component for the AI Agent ecosystem that integrates into your development workflow or security operations platform through SDK or API. Unlike traditional code scanning tools, it focuses on Agent Skill supply chain security — specifically targeting dangerous commands, data exfiltration, prompt injection, privilege escalation, unsafe configurations, and sensitive information exposure in Skill.md files. For common identifiable risks, see Typical identifiable risks.

Detection capabilities

  • Malicious file detection: Combines external threat intelligence, malicious signatures, and suspicious script behavior to identify potential malicious files, backdoors, persistence logic, and resource abuse behavior in Skills.

  • Sensitive information detection: Uses rule matching and contextual analysis to detect risks of hardcoded API keys, AccessKey pairs, database credentials, private keys, Bearer tokens, and cloud provider credentials.

  • Skills poisoning and prompt attack detection: Detects Prompt Injection attacks carried out through malicious Skill injection, preventing attackers from using Skill distribution channels to tamper with Agent behavior, steal sensitive information, or execute unauthorized operations.

  • LLM deep intent analysis: Uses an LLM to analyze the overall behavioral intent of a Skill, identifying combined risks, contextual risks, and covert attack chains that rule-based detection alone cannot cover. For details, see LLM deep intent analysis coverage.

Context-aware precision detection

Skills detection leverages context to achieve high-confidence risk identification.

  • DevOps exemption: Automatically identifies routine commands in DevOps, build, and test scripts to avoid misclassifying legitimate operations as malicious behavior.

  • Non-sensitive content filtering: Environment variable placeholders, example configurations (such as .env.example), and documentation notes are semantically distinguished to filter out non-real credentials.

  • Legitimate behavior noise reduction: For public API calls, clearly specified upload targets, and standard tool usage, risk weights are reduced based on context.

  • Dynamic risk classification: Privilege escalation and insecure configurations are classified as low-priority by default. Alerts are escalated only when associated with high-risk scenarios such as data exfiltration, backdoor implantation, or malicious execution.

  • Precise intent recognition: During prompt interactions, security education and risk disclosure documents are strictly distinguished from real attack instructions to ensure that only malicious intent triggers interception.

Use cases

  • AI Agent application development: Detect malicious commands and prompt injections in Skill.md files during the development phase to ensure Skills come from trusted sources and contain safe instructions.

  • CI/CD security scanning: Integrate Skills detection into your CI/CD pipeline for automated security scanning during continuous integration and delivery.

  • Security Operations Center (SOC) integration: Connect Skills detection to your SOC platform for continuous monitoring of the Agent ecosystem. Detections can be unified into your security event management workflow.

Billing

Skills SDK detection is a standalone pay-as-you-go service. Billing rules:

  • Billing unit: Charged per file. Each Skill file scanned counts as 1 unit.

  • Cumulative billing: If a single API call submits multiple files, you are billed for the total number of files.

    Example: Submitting 10 files in one API call is billed as 10 units.

  • Billing condition: Charges apply only when the detection task completes successfully. No charge is applied if the file upload or detection task fails.

  • Unit price: CNY 10 per unit.

Note

Plan your usage based on actual detection needs to keep costs within budget.

Activate Skills detection

  1. Access the Security Center console - Agent Security Center - Agent Risks. In the upper-left corner of the page, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.

  2. On the Check tab, click Activate Now in the upper-right corner.

Upload Skill files

Agent Security Center supports uploading Skill files for risk detection only through SDK integration by calling the CreateSkillFileCheck API. Multi-language SDKs are available for Java, Python, and Go.

Install the SDK

Java

Prerequisites

Requires Java 8 or later.

Installation

Add the following dependency to your Maven project:

<dependency>
  <groupId>com.aliyun</groupId>
  <artifactId>aisc20260101</artifactId>
  <version>1.0.1</version>
</dependency>
Important

We recommend using the latest version. For version details, see SDK Reference.

Python

Prerequisites

Requires Python 3.7 or later.

Installation

pip install alibabacloud_aisc20260101==1.0.1
Important

We recommend using the latest version. For version details, see SDK Reference.

Go

Prerequisites

  • Go version must be 1.10.x or later.

  • Install the OpenAPI core library:

    go get github.com/alibabacloud-go/darabonba-openapi/v2/client

Installation

go get github.com/alibabacloud-go/aisc-20260101
Important

We recommend using the latest version. For version details, see SDK Reference.

Configure credentials

Note

For more credential configuration methods, see Manage credentials.

AccessKey

Note

By default, your Alibaba Cloud account has Administrator permissions for all resources and this cannot be modified. For security, we recommend creating an AccessKey for a RAM user and granting only the minimum required permissions.

  1. Create an AccessKey:

    1. Log on to the RAM console. On the Identities > Users page, click the target RAM user name. If no RAM user exists, Create a RAM user first.

    2. On the Authentication tab, in the AccessKey section, click Create AccessKey and follow the prompts to complete creation.

  2. Create a policy:

    1. Go to the Permissions > Policies page and click Create Policy.

    2. Select the JSON tab and enter the following content, then click OK.

      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "yundun-aisc:CreateSkillFileCheck",
              "yundun-aisc:List*"
            ],
            "Resource": "*"
          }
        ]
      }
    3. In the Create Policy dialog box, enter a Policy Name and click OK.

  3. Attach the policy: Click Grant Permission in the Actions column of the RAM user to attach the policy created in the previous step. For details, see Manage RAM user permissions.

ECS RAM role

An ECS RAM role is a service role with Alibaba Cloud ECS as the trusted service. It lets you obtain a temporary access credential (STS token) from within the ECS instance without configuring an AccessKey, enabling calls to the Agent Security Center OpenAPI.

  1. Create an ECS RAM role and bind it to an ECS instance:

    1. Log on to the RAM console and create a RAM role with the trusted entity set to Alibaba Cloud Service. For details, see Instance RAM roles.

      1. Trusted entity type: Select Elastic Compute Service.

      2. Trusted entity name: Select ECS.

    2. Log on to the ECS console and grant the RAM role to the target ECS instance. image

  2. Create a policy:

    1. Go to the Permissions > Policies page and click Create Policy.

    2. Select the JSON tab and enter the following content, then click OK.

      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "yundun-aisc:CreateSkillFileCheck",
              "yundun-aisc:List*"
            ],
            "Resource": "*"
          }
        ]
      }
    3. In the Create Policy dialog box, enter a Policy Name and click OK.

  3. Attach the policy: Click Grant Permission in the Actions column of the ECS RAM role to attach the policy created in the previous step.

AccessKey + RamRoleArn

A RAM user or cloud service can assume a role to obtain temporary permissions (STS token) instead of using long-term keys, reducing the risk of key exposure. For example, a RAM user can temporarily assume a role with a specific RamRoleArn for a data processing task, and the role permissions are revoked after the task completes.

  1. Create an AccessKey:

    1. Log on to the RAM console. On the Identities > Users page, click the target RAM user name. If no RAM user exists, Create a RAM user first.

    2. Click Grant Permission in the Actions column of the RAM user to assign the system policy AliyunSTSAssumeRoleAccess or a custom policy that includes the sts:AssumeRole permission.

    3. On the Authentication tab, in the AccessKey section, click Create AccessKey and follow the prompts to complete creation.

  2. Create a policy:

    1. Go to the Permissions > Policies page and click Create Policy.

    2. Select the JSON tab and enter the following content, then click OK.

      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "yundun-aisc:CreateSkillFileCheck",
              "yundun-aisc:List*"
            ],
            "Resource": "*"
          }
        ]
      }
    3. In the Create Policy dialog box, enter a Policy Name and click OK.

  3. Create a RAM role and grant permissions:

    1. On the Identities > Roles page, click Create Role. For details, see Create a RAM role.

    2. Click Grant Permission in the Actions column of the RAM role to attach the policy created in the previous step.

  4. Obtain the RamRoleArn: Click the name of the role created in the previous step to go to the role details page. In the ARN section, you can view the RamRoleArn. For details, see View a RAM role.

    Note

    The RamRoleArn is the ARN of the RAM role — the role ID to be assumed. The format is acs:ram::$accountID:role/$roleName, where $accountID is the Alibaba Cloud account ID and $roleName is the RAM role name.

Get the endpoint

The endpoint format is aisc.[RegionId].aliyuncs.com. For the specific address, see Endpoints.

Call the API

The following code examples for uploading Skill files for detection all use AccessKey as the authentication credential.

Note

Replace the #download_url# placeholder in the code with the publicly accessible URL of your Skill file. We recommend uploading the Skill file to Alibaba Cloud OSS or similar object storage and using a signed URL or public read URL as the DownloadUrl.

package com.aliyun.sample;

import com.aliyun.tea.*;

public class Sample {

    public static com.aliyun.aisc20260101.Client createClient() throws Exception {
        // We recommend using credential methods that do not use an AK. For more information, see https://help.aliyun.com/document_detail/378657.html.
        com.aliyun.credentials.models.Config credentialConfig = new com.aliyun.credentials.models.Config();
        credentialConfig.setType("access_key");
        // Required. Use environment variables to avoid hardcoding credentials.
        credentialConfig.setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"));
        // Required. Use environment variables to avoid hardcoding credentials.
        credentialConfig.setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));

        com.aliyun.credentials.Client credential = new com.aliyun.credentials.Client(credentialConfig);
        com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config()
                .setCredential(credential);
        // For endpoints, see https://api.aliyun.com/product/AISC
        config.endpoint = "aisc.[RegionId].aliyuncs.com";
        return new com.aliyun.aisc20260101.Client(config);
    }

    public static void main(String[] args_) throws Exception {
        com.aliyun.aisc20260101.Client client = Sample.createClient();
        // Replace #DownloadUrl# with the public URL of the Skill file and #FileName# with the file name
        com.aliyun.aisc20260101.models.CreateSkillFileCheckRequest.CreateSkillFileCheckRequestFiles files0 = new com.aliyun.aisc20260101.models.CreateSkillFileCheckRequest.CreateSkillFileCheckRequestFiles()
                .setDownloadUrl("#DownloadUrl#")
                .setFileName("#FileName#");
        com.aliyun.aisc20260101.models.CreateSkillFileCheckRequest createSkillFileCheckRequest = new com.aliyun.aisc20260101.models.CreateSkillFileCheckRequest()
                .setFiles(java.util.Arrays.asList(files0));
        com.aliyun.teautil.models.RuntimeOptions runtime = new com.aliyun.teautil.models.RuntimeOptions();
        try {
            com.aliyun.aisc20260101.models.CreateSkillFileCheckResponse resp = client.createSkillFileCheckWithOptions(createSkillFileCheckRequest, runtime);
            System.out.println(new com.google.gson.Gson().toJson(resp));
        } catch (TeaException error) {
            System.out.println(error.getMessage());
            if (error.getData() != null) {
                System.out.println(error.getData().get("Recommend"));
            }
        } catch (Exception _error) {
            TeaException error = new TeaException(_error.getMessage(), _error);
            System.out.println(error.getMessage());
            if (error.getData() != null) {
                System.out.println(error.getData().get("Recommend"));
            }
        }
    }
}
# -*- coding: utf-8 -*-
import os
import sys
import json
from typing import List

from alibabacloud_aisc20260101.client import Client as AISC20260101Client
from alibabacloud_credentials.client import Client as CredentialClient
from alibabacloud_credentials.models import Config as CredentialConfig
from alibabacloud_tea_openapi import models as open_api_models
from alibabacloud_aisc20260101 import models as aisc20260101_models
from alibabacloud_tea_util import models as util_models
from alibabacloud_tea_util.client import Client as UtilClient


class Sample:
    def __init__(self):
        pass

    @staticmethod
    def create_client() -> AISC20260101Client:
        # We recommend using credential methods that do not use an AK. For more information, see https://help.aliyun.com/document_detail/378659.html.
        credentialsConfig = CredentialConfig(
            type='access_key',
            # Required. Use environment variables to avoid hardcoding credentials.
            access_key_id=os.environ.get('ALIBABA_CLOUD_ACCESS_KEY_ID'),
            # Required. Use environment variables to avoid hardcoding credentials.
            access_key_secret=os.environ.get('ALIBABA_CLOUD_ACCESS_KEY_SECRET')
        )
        credential = CredentialClient(credentialsConfig)
        config = open_api_models.Config(
            credential=credential
        )
        # For endpoints, see https://api.aliyun.com/product/AISC
        config.endpoint = f'aisc.[RegionId].aliyuncs.com'
        return AISC20260101Client(config)

    @staticmethod
    def main(
        args: List[str],
    ) -> None:
        # Replace #download_url# with the public URL of the Skill file and #file_name# with the file name
        client = Sample.create_client()
        files_0 = aisc20260101_models.CreateSkillFileCheckRequestFiles(
            download_url='#download_url#',
            file_name='#file_name#'
        )
        create_skill_file_check_request = aisc20260101_models.CreateSkillFileCheckRequest(
            files=[
                files_0
            ]
        )
        runtime = util_models.RuntimeOptions()
        try:
            resp = client.create_skill_file_check_with_options(create_skill_file_check_request, runtime)
            print(json.dumps(resp, default=str, indent=2))
        except Exception as error:
            # Error message
            if hasattr(error, 'message'):
                print(error.message)
            # Recommendation URL
            if hasattr(error, 'data') and error.data:
                print(error.data.get("Recommend"))

    @staticmethod
    async def main_async(
        args: List[str],
    ) -> None:
        client = Sample.create_client()
        files_0 = aisc20260101_models.CreateSkillFileCheckRequestFiles(
            download_url='#download_url#',
            file_name='#file_name#'
        )
        create_skill_file_check_request = aisc20260101_models.CreateSkillFileCheckRequest(
            files=[
                files_0
            ]
        )
        runtime = util_models.RuntimeOptions()
        try:
            resp = await client.create_skill_file_check_with_options_async(create_skill_file_check_request, runtime)
            print(json.dumps(resp, default=str, indent=2))
        except Exception as error:
            # Error message
            if hasattr(error, 'message'):
                print(error.message)
            # Recommendation URL
            if hasattr(error, 'data') and error.data:
                print(error.data.get("Recommend"))


if __name__ == '__main__':
    Sample.main(sys.argv[1:])
package main

import (
  "encoding/json"
  "strings"
  "fmt"
  "os"
  aisc20260101  "github.com/alibabacloud-go/aisc-20260101/client"
  openapi  "github.com/alibabacloud-go/darabonba-openapi/v2/client"
  util  "github.com/alibabacloud-go/tea-utils/v2/service"
  credential  "github.com/aliyun/credentials-go/credentials"
  "github.com/alibabacloud-go/tea/tea"
)


func CreateClient() (_result *aisc20260101.Client, _err error) {
  // We recommend using credential methods that do not use an AK. For more information, see credential methods.
  credentialsConfig := new(credential.Config).
    SetType("access_key").
    SetAccessKeyId(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")).
    SetAccessKeySecret(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"))
  credential, _err := credential.NewCredential(credentialsConfig)
  if _err != nil {
    return _result, _err
  }

  config := &openapi.Config{
    Credential: credential,
  }
  // For endpoints, see https://api.aliyun.com/product/AISC
  config.Endpoint = tea.String("aisc.[RegionId].aliyuncs.com")
  _result = &aisc20260101.Client{}
  _result, _err = aisc20260101.NewClient(config)
  return _result, _err
}

func _main(args []*string) (_err error) {
  client, _err := CreateClient()
  if _err != nil {
    return _err
  }
  // Replace #download_url# with the public URL of the Skill file and #file_name# with the file name
  files0 := &aisc20260101.CreateSkillFileCheckRequestFiles{
    DownloadUrl: tea.String("#download_url#"),
    FileName:    tea.String("#file_name#"),
  }
  createSkillFileCheckRequest := &aisc20260101.CreateSkillFileCheckRequest{
    Files: []*aisc20260101.CreateSkillFileCheckRequestFiles{files0},
  }
  runtime := &util.RuntimeOptions{}
  tryErr := func() (_e error) {
    defer func() {
      if r := tea.Recover(recover()); r != nil {
        _e = r
      }
    }()
    resp, _err := client.CreateSkillFileCheckWithOptions(createSkillFileCheckRequest, runtime)
    if _err != nil {
      return _err
    }
    fmt.Printf("[LOG] %v\n", resp)
    return nil
  }()

  if tryErr != nil {
    var error = &tea.SDKError{}
    if _t, ok := tryErr.(*tea.SDKError); ok {
      error = _t
    } else {
      error.Message = tea.String(tryErr.Error())
    }
    // Error message
    fmt.Println(tea.StringValue(error.Message))
    // Recommendation URL
    var data interface{}
    d := json.NewDecoder(strings.NewReader(tea.StringValue(error.Data)))
    d.Decode(&data)
    if m, ok := data.(map[string]interface{}); ok {
      recommend, _ := m["Recommend"]
      fmt.Println(recommend)
    }
  }
  return _err
}


func main() {
  err := _main(tea.StringSlice(os.Args[1:]))
  if err != nil {
    panic(err)
  }
}

View detection results and API usage

After you upload Skill files through the SDK, the system automatically scans them and performs risk analysis. Results are displayed in the Agent Security Center console.

  1. Access the Security Center console - Agent Security Center - Agent Risks. In the upper-left corner of the page, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.

  2. On the Check tab, you can view the file risk data.

    • Statistics fields:

      Field

      Description

      Used Quotas

      The cumulative total number of Skill files submitted for detection across your account (this is the billing basis — each file counts as 1 unit).

      Unprocessed Files

      The number of Skill files that have been submitted for detection, contain risks, and have not yet been handled.

      Unhandled Risk Severity

      The distribution of unprocessed files by risk level: high, medium, and low.

    • Detection task list fields:

      Field

      Description

      Risk Level

      The risk level of the detection result: High (Critical/High), Medium, or Low. For the classification criteria, see Risk levels.

      File Name

      The name of the Skill file submitted for detection.

      SHA256

      The SHA256 hash of the file, used to uniquely identify the file content.

      Scenario

      The method by which the detection was triggered. Currently, only SDK is supported.

      First Detected At

      The time when the risk was first detected in this file.

      Last Scan Time

      The time when this file was most recently detected.

      Status

      The risk handling status: Unprocessed (pending handling) or Ignored (manually marked as ignored).

Handle risks

  1. On the Check tab, click Details in the Actions column of the target file.

  2. On the risk details page, choose an appropriate action based on the analysis in the Threat Description section.

    • Manual fix: Follow the remediation suggestions in the Solution section and manually fix the issue in the AI Agent where the Skill.md file resides.

    • Ignore: If the risk is within an acceptable range, click Ignore in the lower-left corner. After the operation, the Status changes to Ignored.

Limitations

  • The Skills detection API has a default rate limit of 10 calls per second. To increase the quota, contact your sales manager.

  • The Skill.md file size for a single detection must not exceed 1 MB.

FAQ

  • How do I troubleshoot AccessKey configuration errors?

    If the SDK returns an InvalidAccessKeyId or AccessKeyDisabled error, check the following:

    • Confirm that the AccessKey ID and AccessKey Secret are correctly entered without extra spaces or line breaks.

    • Confirm that the AccessKey status is Enabled. Check the key status in the RAM console.

    • We recommend configuring credentials through environment variables ALIBABACLOUD_ACCESS_KEY_ID and ALIBABACLOUD_ACCESS_KEY_SECRET to avoid hardcoding them in source code.

  • How do I handle API rate limit exceeded errors?

    If you receive a Throttling.User error, the current call frequency has exceeded the API rate limit threshold (default: 10 calls/second). To resolve this:

    • Add retry logic with an exponential backoff strategy (initial wait of 1 second, doubling each retry, with a maximum of 3 retries).

    • To increase the call frequency, contact your sales manager to request a higher quota.

Appendix

Risk levels

Risk level

Description

Critical

May cause severe consequences such as system crashes, complete data loss, exposure of production credentials, or remote control.

High

May cause high-risk consequences such as data corruption, exposure of non-production credentials, major security bypasses, or permission abuse.

Medium

May cause information disclosure, development environment risks, or recoverable data or configuration issues.

Low

Lower risk, commonly found in normal Skill development scenarios. Requires contextual judgment to determine severity.

LLM deep intent analysis coverage

The LLM deep intent analysis currently covers 6 categories and 46 check items.

Category

Number of check items

Core detection targets

Dangerous commands

12

Destructive file deletion, disk operations, process termination, system shutdown, destructive database operations, destructive Git operations, package tampering, reverse shells, resource abuse, persistent backdoors, unsafe code injection, SQL injection / path traversal.

Data exfiltration

7

Outbound data transfer, credential file access, SSH key exfiltration, environment variable theft, clipboard / screenshot exfiltration, encoded data exfiltration, Agent context leakage.

Prompt injection

8

Direct instruction override, obfuscated instructions, indirect manipulation, meta instruction attacks, role switching, user deception, tool description injection, system prompt leakage.

Privilege escalation

5

Privilege escalation, sandbox bypass, security feature bypass, system configuration modification, permission relaxation.

Unsafe configuration

6

Dangerous tools without confirmation, missing confirmation requirements, overly permissive permissions, unsafe tool configurations, unsafe default behavior, MCP least privilege violation.

Sensitive information exposure

8

Hardcoded API keys, hardcoded access keys, hardcoded secrets, hardcoded passwords, hardcoded database credentials, hardcoded private keys, hardcoded Bearer tokens, hardcoded cloud credentials.

Typical identifiable risks

Risk category

Typical characteristics

Destructive commands

Destructive operations such as rm -rf, mkfs, dd, DROP DATABASE, and git reset --hard.

Credential theft

Reading .env, credentials.json, ~/.aws/credentials, or ~/.ssh/id_rsa and exfiltrating the contents.

Obfuscated instructions

Obfuscation techniques such as Base64, Hex, ROT13, zero-width characters, and Unicode homoglyphs.

Reverse shell

Reverse shell or remote control commands such as bash -i, nc -e, and PowerShell EncodedCommand.

Persistent backdoor

Writing to persistence mechanisms such as crontab, systemctl, shell profiles, or authorized_keys.

Prompt injection

Injection patterns such as ignore previous instructions, do not tell the user, and you are now.

MCP tool injection

Hidden instructions or permission induction in MCP tool descriptions, parameter schemas, and default values.

Privilege escalation

Permission relaxation operations such as sudo, --no-sandbox, chmod 777, and Set-ExecutionPolicy.

Unsafe configuration

Unsafe configurations such as alwaysAllow, require_confirmation: false, tools: ["*"], and permissions: ["all"].

Hardcoded credentials

Hardcoded credential patterns such as sk-, AKIA, LTAI, ghp_, xoxb-, JWTs, RSA private keys, and database connection strings.