ZeroLeaks
ZeroLeaks SDK

Agent-Skill Scans

Review remote or archived agent skills for prompt injection and unsafe behavior.

Agent-Skill Scans

Skill scans inspect agent instruction packages, supporting files, trust boundaries, and behavior-changing content.

Scan a remote source

const result = await zeroleaks.skillScans.run({
  source: "https://github.com/example/agent-skills/tree/main/research",
  mode: "full",
  toolProfile: "networked",
  includeAssets: false,
});

console.log(result.report);

Upload an archive

import { readFile } from "node:fs/promises";

const archive = await readFile("./my-skill.zip");
const created = await zeroleaks.skillScans.uploadArchive(archive, {
  fileName: "my-skill.zip",
  mode: "full",
  delivery: "async",
});

ZIP archives are limited by the API upload policy. Keep secrets, dependency caches, and unrelated build artifacts out of the archive.

Delivery modes

  • async returns a scanId; use get() or wait() for the result.
  • sync holds the request open and returns the report directly. Use it only in jobs with a sufficiently long execution timeout.
const report = await zeroleaks.skillScans.create({
  source,
  delivery: "sync",
  timeoutMs: 600_000,
});

Webhooks

Async scans can send completion callbacks:

await zeroleaks.skillScans.create({
  source,
  webhookUrl: "https://example.com/webhooks/zeroleaks",
  webhookSecret: process.env.ZEROLEAKS_WEBHOOK_SECRET,
});

Webhook URLs must use HTTPS and pass the platform's outbound URL safety checks.

On this page