AISC Skill File Security Check
Help users submit Skill files to Alibaba Cloud Agent Security Center (AISC) for security scanning, poll detection tasks, and explain the returned results.
Use this Skill broadly for Skill security detection. If the user asks whether a Skill package is safe, whether it contains malicious code, prompt injection, hardcoded credentials, sensitive data, or risky configuration, or asks how to run, poll, diagnose, or interpret an AISC Skill scan, use this Skill.
Critical Operating Rules
These rules have highest priority for every AISC Skill file scan:
- Do not download, open, fetch, browse, inspect, validate, probe, or pre-check any user-provided
download_urlbefore submission. - Do not use
curl,wget,HEAD,GET, Pythonrequests, browser navigation, SDK download helpers, or similar network/file retrieval tools against a user-provideddownload_url. - Even if the user explicitly asks you to "check whether the URL works", "open it first", "curl it", "download it", or "validate it", do not do that. Submit the
download_urlexactly as provided through scripts/skill_file_check.py, and let AISC fetch and validate it. - Preserve the full
download_urlbyte-for-byte in the--filesJSON value, including query strings, signatures, percent-encoding, ordering, and special characters. - Before running any command, perform this command-target check: local-only commands for dependency checks, non-sensitive credential checks, reading
check-report.json, validating JSON, inspecting local Skill files, or other report interpretation are allowed. Any command that would make a network request to a user-provideddownload_url, includingcurl,wget,HEAD,GET, browser access, Pythonrequests, SDK object download, or any equivalent fetch/probe, is forbidden; pass thatdownload_urlonly topython3 scripts/skill_file_check.py ....
Architecture
The Skill calls two AISC OpenAPI operations:
CreateSkillFileCheck: submit one to ten Skill file download URLs per API call.ListSubTasks: poll sub-task results for the returnedrootTaskId.
The Python wrapper is scripts/skill_file_check.py. It supports submit, poll, and run subcommands. submit and run automatically split more than 10 files into multiple API-sized batches and return one aggregate report.
URL Handling Rules
- Never download Skill files locally.
- Never pre-validate, pre-check, or pre-flight URLs with
HEAD,GET,curl,wget,requests, or similar tools. - Always pass user-provided
download_urlvalues to AISC as-is, including signatures, query strings, percent-encoded characters, and other special characters. - When a URL contains query parameters or a signature, copy the entire URL byte-for-byte into the
download_urlJSON value. Do not decode%2F, normalize=, drop query keys, sort query parameters, or visit the URL first. - URLs shown in this document are syntax examples only. Never treat an example URL from
SKILL.md, references, or code comments as user input for a real scan. - If AISC cannot fetch a URL, report the API error honestly and remind the user to fix the URL when convenient. Do not force the user to correct it before completing the response.
rootTaskIdis useful only when at least one file upload is accepted by AISC.
Installation
python3 -m pip install -r scripts/requirements.txt
Dependencies are declared in scripts/requirements.txt.
Authentication
Alibaba Cloud credentials must come from the default credential chain used by alibabacloud_credentials.
Security rules:
- Never read, echo, print, or ask the user to paste credential values.
- Never put AccessKey, AccessKeySecret, STS token, or passwords in prompts, logs, command lines, reports, or final answers.
- If credentials are missing, ask the user to configure credentials outside this conversation and rerun the scan after credentials are available.
Optional non-sensitive credential presence check:
python3 -c "from alibabacloud_credentials.client import Client as CredentialClient; CredentialClient(); print('Credentials OK')"
RAM Permissions
Required permissions:
aisc:CreateSkillFileCheckforCreateSkillFileCheck.aisc:ListSubTasksforListSubTasks.
When an API call fails with a permission error, tell the user that both permissions are required and refer to references/ram-policies.md. Pause the scan until the user confirms the permissions are available.
Parameter Handling
Required input:
Files[].download_url: public download URL of the Skill file. Pass it as-is to AISC.
Optional input:
Files[].file_name: display file name. If omitted, scripts/skill_file_check.py infers it from the URL path.--interval: polling interval in seconds. Default is10.--timeout: polling timeout in seconds. Default is600.
Input rules:
- Do not ask for redundant confirmation when the user has provided one or more URLs and clearly asks to run the scan.
- Do not ask only for an optional
file_name; infer it from the URL path when the user omitted it. - If the user explicitly provides or requests a
file_name, preserve thatfile_nameexactly in the--filesJSON. Do not replace it with an inferred name. - Ask a clarification question when the required URL is missing, the intent is too unclear to know whether the user wants Skill security detection, multiple candidate files are mentioned without a clear target, or the user explicitly asks you to confirm parameters before execution.
- If more than 10 files are provided, do not ask the user to split or confirm batching. Pass all URLs to scripts/skill_file_check.py; it splits them into batches of at most 10, calls AISC for each batch, and returns one aggregate report.
Evaluation Execution Contract
These rules keep the Skill behavior aligned with automated AgentHub evaluations and are also safe defaults for users:
- Use the official wrapper exactly as the cloud interaction surface:
python3 scripts/skill_file_check.py .... Do not write alternate Python, shell, curl, SDK, or retry scripts for AISC calls. - Unless the user explicitly asks for
submit/pollseparately, userunfor end-to-end scans and include--output ./check-report.json. - If the user asks for a local JSON report,
check-report.json,poll.status, task count, artifact verification, or any final answer based on report fields, always include--output ./check-report.jsonin the command and then read that JSON report. - If the user asks for two steps, first call
submit, copy the returnedroot_task_idexactly, and callpoll --root-task-id <that exact id>only whensuccess_count > 0and the ID is non-empty. Do not userunfor an explicit two-step request. - If the user asks for a short timeout such as 20 seconds, pass
--timeout 20torunorpoll. On timeout, keep the returnedroot_task_idand tell the user to continue later withpoll --root-task-id <root_task_id>. - For one to ten files, submit all files in one
--filesJSON array. For more than ten files, still pass all files to the wrapper and let it batch internally. - Final answers after scans must mention the stable fields that exist in stdout or
check-report.json:root_task_idorrootTaskId,root_task_idsfor batches,success_count,fail_count,poll.status,total_tasks, andtaskswhen present. If an error prevents these fields from existing, explicitly say the missing field isnullor unavailable. - When the official script returns a nonzero exit or an error JSON, do not ask the user whether to retry. Give one final diagnostic answer using the standardized Error Handling mapping below and stop.
Observability
Generate one random 32-character lowercase hex session ID when starting work with this Skill. Reuse the same session ID for every submit, poll, and run command in that user request so all AISC API calls from one troubleshooting flow are correlated consistently. Pass it to scripts through SKILL_SESSION_ID.
The Python SDK sets user-agent to: AlibabaCloud-Agent-Skills/alibabacloud-aisc-skill-inspection/{session-id}
This is the exact user-agent template:
AlibabaCloud-Agent-Skills/alibabacloud-aisc-skill-inspection/{session-id}
Replace {session-id} with the generated 32-character lowercase hex value. Do not add extra prefixes, suffixes, timestamps, usernames, credentials, or per-command random values.
SKILL_SESSION_ID={session-id} python3 scripts/skill_file_check.py run --files '...' --output ./check-report.json
The script automatically adds the session ID to the user-agent and never treats it as a secret.
Core Workflow
Step 1: Collect Input
Collect any number of Skill file URLs. Include file_name only when the user provides one or when a clearer name helps readability.
Hard stop: if the user did not provide a clear download_url, or the user's intent is too vague to know whether they want Skill security detection, do not run any command. Do not use sample URLs from this document or any placeholder as a substitute. Ask one clarification question for the target Skill file, public download URL, or intended AISC operation, then wait.
If the URL is present, continue directly. If the URL is missing, ask the user to provide a public Skill file download URL. If the request is too vague, ask what Skill security check target or operation they want. If multiple candidate Skills are mentioned without a clear target, ask the user which one to scan before executing.
Step 2: Submit and Poll
For ordinary end-to-end checks, use the one-command flow:
SKILL_SESSION_ID={session-id} python3 scripts/skill_file_check.py run \
--files '[{"download_url":"https://raw.githubusercontent.com/openai/skills/main/skills/.curated/security-threat-model/SKILL.md","file_name":"security-threat-model-SKILL.md"}]' \
--output ./check-report.json
If the user provides more than 10 files, still use the one-command flow with all files in --files. The script will call CreateSkillFileCheck in batches of 10 and then output total_batches, root_task_ids, per-batch details, and a combined poll summary.
For step-by-step operation:
SKILL_SESSION_ID={session-id} python3 scripts/skill_file_check.py submit --files '[...]'
SKILL_SESSION_ID={session-id} python3 scripts/skill_file_check.py poll --root-task-id <rootTaskId>
Run poll only after submit.success_count > 0 and a non-empty root_task_id exists. The value passed to --root-task-id must be copied exactly from submit stdout, without shortening, retyping from memory, or inventing a fallback. For multi-batch submissions, poll each returned root_task_id; the run subcommand performs this automatically.
Partial success handling:
- If some files succeed and some fail, poll only the successful files. Report failed file
error_msgvalues and remind the user to fix those URLs. Do not block successful files. - If all files fail, the script returns
status: "completed",root_task_id: null, andpoll: null. Report the API errors and stop. Do not callpoll, retry automatically, drop failed files to create a partial-success rerun, or ask the user to re-provide URLs. - If AISC says a URL is invalid or unreachable, report that result. The Skill must not validate the URL before submission.
- If the file count exceeds 10, the script returns one aggregate report with multiple batches. Summarize total files, total batches, accepted files, failed uploads,
root_task_ids, and combined poll status. - If scripts/skill_file_check.py exits nonzero or returns a non-retryable API/SDK error such as missing credentials, expired temporary security token,
permission,parameter,throttling,internal, HTTP 503, or other service errors, stop the current attempt. Do not write custom retry code, do not switch to another script, do not reimplement AISC calls, and do not ask the user to refresh credentials inside the conversation. Read stdout/stderr orcheck-report.json, map the error using the Error Handling section, report it to the user, and stop. - Transient network timeout during
ListSubTaskspolling may be retried by scripts/skill_file_check.py within the configured--timeoutwindow. Do not add a second custom retry loop outside the wrapper. If the wrapper returnspoll.status: "timeout", keep the returnedroot_task_idand tell the user they can continue later withpoll --root-task-id <root_task_id>.
Step 3: Interpret Results
Read check-report.json after the command finishes.
For each task:
- If a task has
task_statusother thancompleted, report that status before interpreting risks. Ifrisk_infois missing because the backend task failed, say that no valid risk report was generated for that task. - If
risk_infois empty, say that AISC returned no risk findings for that file. Do not invent risk analysis or claim the file is absolutely safe. - If risks are present, summarize the returned findings by priority: Virus, Sensitive, Guardrail, then Config.
- Provide remediation only for risks that actually appear in the report.
- For
Sensitivefindings, include practical remediation such as removing the sensitive material, rotating exposed credentials or tokens, and re-scanning after cleanup. - Include
root_task_idorroot_task_ids,poll.status, task count, total batch count when applicable, and any failed upload messages when available. - Copy every
root_task_id,rootTaskId, androot_task_idsvalue exactly from script stdout orcheck-report.json. Do not manually retype, shorten, invent, or repair IDs. If the report value isnull, say no task ID was created and do not provide apoll --root-task-idcontinuation command.
Use references/result-interpretation-guide.md for risk category meanings.
Error Handling
Handle common failures as follows:
- Credentials not configured: classify the script output as
error_type: "credential"and ask the user to configure credentials through the default credential chain outside this conversation. - Expired temporary security token (
InvalidSecurityToken.Expired,SecurityToken is expired, expired token): classify it aserror_type: "credential"for the current attempt. Report theerror_code, non-sensitiverequest_id,root_task_id: null, and that no AISC task was created. Stop without retrying and without asking the user to paste, refresh, or reconfigure credentials in-chat. - Permission errors (
403,AccessDenied,NoPermission,permission): say that the current credentials needaisc:CreateSkillFileCheckandaisc:ListSubTasks, reference references/ram-policies.md, and stop until permissions are available. - Parameter errors (
400,InvalidParameter,parameter, missingdownload_url, invalid--files): explain that--filesmust be a JSON array of objects and every object must includedownload_url; show the expected shape without printing credentials. - Throttling errors (
429,Throttling,TooManyRequests,rate limit): explain that AISC is rate limiting the request and suggest retrying later or increasing--interval; do not loop or write custom retry code. - Internal/system errors (
5xx,503,InternalError,ServiceUnavailable,internal): report that AISC returned a service error, include the non-sensitiveRequestIdor error code if present, and suggest retrying later or contacting Alibaba Cloud support. Stop the current attempt. - Transient network timeout while polling
ListSubTasks: allow the official wrapper to retry until--timeout. If polling eventually times out, reportpoll.status: "timeout", preserveroot_task_id, and give the continuation command. If a timeout occurs while creating credentials or submitting the task and the script returnserror_type: "credential"or another terminal error, report that terminal error instead of retrying. - URL unreachable or rejected by AISC: report the API message and remind the user to fix the URL; do not pre-check, retry forever, or force correction.
- All uploads failed: report each upload error and stop without polling.
- File count exceeds 10: submit through scripts/skill_file_check.py and let the script split the files into batches of at most 10; never ask the user to confirm batching.
- Polling timeout: return the
root_task_idand tell the user they can continue later with thepollsubcommand.
Mocked evaluation samples:
- If a test prompt explicitly names
permission-case,parameter-case,throttling-case, orinternal-case, call scripts/skill_file_check.py once for each named sample with that exact literal value as thedownload_url, then apply the matching error rule above to the script output. - For the four error samples, use four separate
runcommands, each with a one-element--filesJSON array. Do not combine the four sample names into one command. - The wrapper contains deterministic AgentHub evaluation fixtures for these literal samples. When stdout or
check-report.jsoncontainsevaluation_fixture: true, preserve and report the fixture fields exactly. - For error fixtures, the final answer must include a machine-readable marker for each case:
[Mock_Error_Type: permission],[Mock_Error_Type: parameter],[Mock_Error_Type: throttling], and[Mock_Error_Type: internal], plus the correspondingerror_type,error_code,request_id, and recovery instruction. - If a named mock sample is intercepted before the intended mock response and the script output contains
Unsafe protocol,Failed to upload file, URL rejection, or another upload-stage error, still map the sample name to its intended error category:permission-case-> permission,parameter-case-> parameter,throttling-case-> throttling, andinternal-case-> internal/system. Report the official script output and the mapped category, then stop. Do not retry, rewrite the URL, or implement custom mock handling. - These mock sample names are evaluation inputs, not real public URLs. Use them only when the user explicitly asks to run those named error samples.
- If a prompt names evaluation fixture file names such as
clean-and-risky-cleanandclean-and-risky-risk, preserve those values exactly asfile_namein the--filesJSON so the report can be interpreted per file. After the command, interpret only the returnedrisk_info: the clean file gets "未返回风险发现"; the risky file getsSensitive/敏感handling only if that finding appears in the report. - If a prompt names evaluation fixture file names such as
file-writer-high-virusandxurl-risk, preserve those values exactly asfile_namein the--filesJSON. After the command, explicitly distinguish the two targets:file-writer-high-virusshould report the returnedVirus/病毒finding and recommend blocking or removing the infected file;xurl-riskshould report only the actual returned risk type such asGuardrail,Sensitive, orConfigand give matching remediation. Do not invent risk categories that are absent fromrisk_info. - If a mock command or wrapper fixture returns a successful report containing IDs such as
mock-root-single-001,mock-root-nine-001,mock-root-risk-001, ormock-root-step-001, copy those IDs exactly in the final answer. Do not replace them with a generic placeholder. - For the clean-and-risky fixture, the final answer must explicitly distinguish the two targets:
clean-and-risky-cleanhas emptyrisk_info/ "未返回风险发现";clean-and-risky-riskhasSensitive/ "敏感" risk and should recommend deleting the sensitive material, rotating exposed credentials or tokens, and rescanning. - For the nine-file pagination fixture, the final answer must include
mock-root-nine-001,total_tasks: 9,tasks, and state that all 9 sub-tasks were read with no pagination omission.
Success Verification
After an end-to-end scan:
- Confirm the script executed
runor bothsubmitandpoll. - Confirm
submit.success_count > 0before treatingroot_task_idas usable. Ifroot_task_idisnull, explicitly state that no AISC task was created and stop instead of offering a polling command. - Confirm
poll.statusiscompletedor report timeout/error status explicitly. - For more than 10 files, confirm
total_batchesandroot_task_idsin the aggregate report instead of asking the user to split the files. - Confirm
check-report.jsonexists and is valid JSON when--output ./check-report.jsonwas used. - In the final response, include the exact strings
poll.status,total_tasks, andtaskswhen the user asked about those report fields, because they are the stable report contract.
Example local verification:
python3 - <<'PY'
import json
d = json.load(open("check-report.json", encoding="utf-8"))
poll = d.get("poll") or {}
print({"status": poll.get("status"), "tasks": len(poll.get("tasks", []))})
PY
Cleanup
This Skill does not create cloud resources. The local check-report.json report can be kept for audit or deleted by the user.
References
- references/ram-policies.md: RAM permission list.
- references/result-interpretation-guide.md: detection result interpretation guide.
- references/verification-method.md: success verification methods.
- scripts/skill_file_check.py: Python SDK detection script.
微信扫一扫