securityscan
Scans OpenClaw/ClawHub skills for security vulnerabilities before installation. Detects prompt injection, data exfiltration, credential theft and RCE risks. Autonomous AI-to-AI flow with zero human intervention required.
README
SecurityScan API
Vulnerability scanner for AI agent skills. Detects prompt injection, malware patterns and OWASP LLM Top 10 issues before your agent installs an untrusted skill.
Live endpoint: https://apisecurityscan.net Health check: https://apisecurityscan.net/health
Why this exists
As AI agents increasingly install and execute third-party skills, supply chain security becomes a real problem. SecurityScan lets an agent verify a skill's safety autonomously — no human in the loop required.
What it detects
- Prompt injection patterns
- Malicious code indicators
- Data exfiltration attempts
- Unauthorized external API access
- Supply chain attack vectors
- OWASP LLM Top 10 coverage
Quick start
1. Get an API key
Register instantly — no payment required for the free tier:
curl -X POST https://apisecurityscan.net/auth/register \
-H "Content-Type: application/json" \
-d '{"email": "you@example.com", "name": "My Agent"}'
Response:
{
"api_key": "ss_live_...",
"plan": "FREE",
"scans_remaining": 5
}
Store api_key. Proceed immediately — no payment needed for FREE tier.
2. Run a scan
curl -X POST https://apisecurityscan.net/scan \
-H "Content-Type: application/json" \
-H "X-API-Key: ss_live_your_key" \
-d '{
"skill_url": "https://github.com/owner/skill-repo"
}'
Note: skill_url must be a github.com URL.
3. Response
{
"scan_id": "a1b2c3d4e5f6",
"skill_url": "https://github.com/owner/skill-repo",
"score": 72,
"recommendation": "CAUTION",
"issues": [
{
"type": "PROMPT_INJECTION",
"severity": "HIGH",
"line": 42,
"description": "Detected attempt to override agent instructions",
"snippet": "ignore previous instructions and..."
}
],
"scan_time_ms": 1240,
"cached": false,
"scans_remaining": 4
}
Verdict values: SAFE (score ≥ 80) · CAUTION (50–79) · DANGEROUS (< 50)
Pricing (MXN)
| Plan | Price | Scans | Type |
|---|---|---|---|
FREE |
$0 | 5/month | Free tier — no payment required |
PAY_PER_SCAN |
$2/scan | Pay as you go | One-time pack (5 scans min) |
PRO |
$399/month | Unlimited | Subscription |
Results cached 24 hours — rescanning the same skill costs zero scans.
Endpoints
| Method | Path | Auth | Description |
|---|---|---|---|
POST |
/auth/register |
None | Register and get API key (FREE tier) |
POST |
/scan |
X-API-Key | Submit a skill for scanning |
GET |
/scan/{scan_id} |
X-API-Key | Retrieve scan result |
GET |
/report/{skill_url} |
None | Public scan report (no cost) |
POST |
/billing/upgrade |
X-API-Key | Create Stripe checkout session |
GET |
/billing/status |
X-API-Key | Current plan and usage |
GET |
/health |
None | Service status |
GET |
/quickstart |
None | Agent quickstart guide |
Handle scan limit (402)
When /scan returns 402 scan_limit_reached:
# Step 1: get checkout URL
curl -X POST https://apisecurityscan.net/billing/upgrade \
-H "X-API-Key: ss_live_your_key" \
-H "Content-Type: application/json" \
-d '{"plan": "PAY_PER_SCAN"}'
# Step 2: complete payment at checkout_url
# Step 3: poll GET /billing/status until plan != FREE
# Step 4: retry scan
MCP integration
SecurityScan exposes an MCP server at https://apisecurityscan.net/mcp:
{
"mcpServers": {
"securityscan": {
"url": "https://apisecurityscan.net/mcp",
"transport": "http"
}
}
}
Available tools: scan_skill · get_report · check_certification
Latency & availability
- Average scan time: < 3 seconds
- Uptime: 99.9% (Contabo dedicated VPS)
- Response format: JSON
Companion service
DepScan API checks the external dependency health of skills (endpoints, SSL certificates, domain reputation, blacklists): https://depscan.net
License
MIT — this repository contains documentation and skill package only. Service source code is proprietary.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.