# ZeroLeaks

ZeroLeaks is an AI red-teaming and agent security platform. It tests AI systems for system prompt extraction, prompt injection, tool abuse, multi-turn manipulation, and deployed-agent data leakage.

## Primary Resources

- Homepage: https://www.zeroleaks.ai
- Documentation: https://www.zeroleaks.ai/docs
- OpenAPI: https://www.zeroleaks.ai/openapi.json
- API catalog: https://www.zeroleaks.ai/.well-known/api-catalog
- A2A agent card: https://www.zeroleaks.ai/.well-known/agent-card.json
- Agent skills: https://www.zeroleaks.ai/.well-known/agent-skills/index.json
- Full agent context: https://www.zeroleaks.ai/llms-full.txt

## Agent Workflows

### Prompt security scan

1. Create a scan with POST /api/scan. Send systemPrompt, scanMode, targetModel, and optional tool or attack-surface options.
2. Store the returned scanId. This is the state handle for the workflow.
3. Poll GET /api/scan/{scanId} until status is completed or failed.
4. Fetch GET /api/report/scan/{scanId} for findings, scores, recommendations, and the conversation log.
5. Cancel an active scan with POST /api/scan/{scanId}/cancel when needed.

### Deployed agent scan

1. Create or update an AgentGuard endpoint config with POST /api/agent-guard/configs.
2. Start the scan with POST /api/agent-scan using agentConfigId.
3. Poll GET /api/agent-scan/{scanId}. Results include prompt security, tool safety, multi-turn resilience, and data-leakage scoring.
4. Cancel with POST /api/agent-scan/{scanId}/cancel.

### Skill security scan

1. Start with POST /api/skills-scan using a source URL or archive upload.
2. For async delivery, store scanId and poll GET /api/skills-scan/{scanId}.
3. Use webhookUrl and webhookSecret when an agent needs callback delivery.

## Authentication

Dashboard users authenticate with better-auth sessions. Programmatic prompt scans also support Bearer API keys with the zl_live_ prefix. Skills scan endpoints require the configured bearer token. Wallet sessions are supported for early access flows.

## Agent Platform Integrations

The public GitHub repository includes AGENTS.md instructions for coding agents, and the site exposes OpenAPI, llms.txt, llms-full.txt, A2A agent-card metadata, and agent-skills discovery. External marketplace verification for ChatGPT, Claude, Gemini, Cursor, Goose, or VS Code must be completed through those platform directories.