What gets scanned
Review the files most likely to change prompts, tools, hooks, and runtime behaviour.
- Agent skills and instruction packs
- Hooks and automation scripts
- MCP configuration files
- Plugin manifests and repo instructions
Public GitHub repository scanning
Scan agent-facing repositories before they reach your workflow.
AAF Cloud Scan reviews public GitHub repositories for risky agent artifacts, hooks, MCP configs, plugin files, scripts, and repo instructions before you install, merge, or adopt them.
Public GitHub repositories only
Hooks, scripts, and MCP configs
Signed callbacks and isolated workflow
JSON and Markdown reports
Start a repository scan
Paste a public GitHub repository URL
Queue a scan, open a report, and review verdicts, findings, and downloadable outputs in one place.
What it checks
Repository trust review for agent-facing files.
Focused coverage for the files that shape agent behaviour, tool access, and workflow automation.
How it works
A fast path from repository URL to a report your team can review immediately.
- Validate the public GitHub repository URL
- Queue an isolated scan workflow
- Review verdict, findings, and exports
Built-in safeguards
Narrow scope, predictable controls, and a report-first workflow designed for trust.
- Strict GitHub URL validation
- Public repositories only
- Rate limits and repository size checks
- No target repo code execution
Why this exists
Trust-sensitive repo files deserve their own review step.
Modern agent tooling often ships critical behaviour outside traditional application code. AAF Cloud Scan helps developers, security engineers, and technical founders inspect those files before install, merge, or adoption.
Clear verdicts
Understand the overall outcome quickly, with severity and supporting context at a glance.
Readable findings
Review structured findings without digging through raw logs or piecing together workflow output.
Downloadable reports
Export JSON and Markdown for security review, internal sharing, or audit records.