ZeroLeaks SDK
Agent-Skill Scans
Review remote or archived agent skills for prompt injection and unsafe behavior.
Agent-Skill Scans
Skill scans inspect agent instruction packages, supporting files, trust boundaries, and behavior-changing content.
Scan a remote source
const result = await zeroleaks.skillScans.run({
source: "https://github.com/example/agent-skills/tree/main/research",
mode: "full",
toolProfile: "networked",
includeAssets: false,
});
console.log(result.report);Upload an archive
import { readFile } from "node:fs/promises";
const archive = await readFile("./my-skill.zip");
const created = await zeroleaks.skillScans.uploadArchive(archive, {
fileName: "my-skill.zip",
mode: "full",
delivery: "async",
});ZIP archives are limited by the API upload policy. Keep secrets, dependency caches, and unrelated build artifacts out of the archive.
Delivery modes
asyncreturns ascanId; useget()orwait()for the result.syncholds the request open and returns the report directly. Use it only in jobs with a sufficiently long execution timeout.
const report = await zeroleaks.skillScans.create({
source,
delivery: "sync",
timeoutMs: 600_000,
});Webhooks
Async scans can send completion callbacks:
await zeroleaks.skillScans.create({
source,
webhookUrl: "https://example.com/webhooks/zeroleaks",
webhookSecret: process.env.ZEROLEAKS_WEBHOOK_SECRET,
});Webhook URLs must use HTTPS and pass the platform's outbound URL safety checks.