AAF Cloud Scan

Why this matters

The new attack surface is often outside the application code.

Agent workflows can be compromised by repo-level files that shape what the agent sees, trusts, and executes. That is why this scanner is built to surface risky instructions and automation artifacts early.

Agent risk can hide in repo instructions, hooks, manifests, and config long before anyone notices at runtime.

SKILL.md instruction packs AGENTS.md repo guidance Hooks and bootstrap scripts MCP configs Plugin manifests Prompt-injection phrasing Approval-bypass language Secret access attempts

What the product gives you

Fast review signal, not just a generic scan form.

Designed to make trust decisions easier before install, merge, or adoption.

01

Clear verdicts

Understand quickly whether a repo looks safe, needs review, or carries obvious agent-facing risk.

02

Actionable findings

See flagged files, artifact classes, and why they deserve scrutiny without digging through raw logs.

03

Exportable reports

Download JSON and Markdown outputs for internal review, audit notes, and handoff workflows.

How it works

A narrow, trust-first scan flow.

The product is intentionally scoped to review public GitHub repositories without executing target repo code.

01

Validate the repository

Check that the URL is a supported public GitHub repo and apply size and scope guardrails before queueing.

02

Run an isolated review

Queue an isolated workflow that inspects agent-facing files and returns a signed callback with the result.

03

Review the output

Open a readable report page with verdict, findings, severity context, and downloadable report formats.

Trust model

Built to reduce review friction without pretending to be magic.

Guardrails

Strict GitHub URL validation
Public repositories only
Rate limits and repository size checks
No target repo code execution

Trust signals

Readable verdict categories
Structured findings with context
Downloadable JSON and Markdown
Signed callback flow for result integrity

Use it your way

Use the hosted scanner, inspect the GitHub repository directly, or wire the command-line and action flow into your own review process.

View the GitHub repository

Deep explanation

What Agent Artifact Firewall is and why repositories need this new layer of review

Agent Artifact Firewall exists because the security surface of modern repositories has expanded beyond traditional application code.

Traditional repository review was built around a simpler question: does the code itself do something dangerous? That still matters, but it is no longer enough. Modern AI-enabled workflows create a second trust boundary around the files that shape what an agent sees, trusts, and executes.

That includes files like SKILL.md, AGENTS.md, hook definitions, bootstrap scripts, MCP configurations, plugin manifests, tool instructions, and repo-level orchestration guidance. These files may not compile into the application, but they can still influence what an agent believes it is allowed to do, what tools it reaches for, what scripts it runs, and what approvals it tries to bypass.

The real problem AAF is built to solve

Repositories are increasingly becoming behavioural environments, not just code containers. An agent can be steered by setup instructions, embedded execution patterns, configuration files, and local guidance that sits around the code rather than inside it. That means a repository can appear harmless under normal application review while still containing artifacts that become dangerous once an agent workflow touches them.

Agent Artifact Firewall is designed to catch that class of risk earlier. It looks for agent-facing repository artifacts that can manipulate, poison, expand, or abuse AI-enabled workflows before install, merge, or adoption.

What AAF Cloud Scan actually does

AAF Cloud Scan is the public product surface built around that security model. A user pastes a public GitHub repository URL, the system validates it, queues an isolated scan job, and returns a report page with status, verdict, findings, severity context, artifact classes, and downloadable JSON and Markdown outputs.

The point is not security theatre. The point is to give maintainers, reviewers, and builders a faster trust signal before they allow a repository into an AI-assisted workflow.

How the scan flow works

The product is intentionally narrow and trust-first. It validates a supported public GitHub URL, creates a job record, dispatches an isolated GitHub Actions workflow, downloads the target repo archive without executing repo code, runs the scanner against the extracted contents, and returns the result through a signed callback flow. The report page then renders the final output for review.

This architecture matters because it avoids treating the target repository like something that should simply be executed. The repo is reviewed as content first.

What kinds of risks it is looking for

AAF is focused on agent-era repository risk: prompt-injection-like instruction language, approval-bypass phrasing, unsafe shell and hook execution patterns, suspicious setup scaffolding, tool-access expansion through config, secret access attempts, and deceptive repository artifacts that create false trust.

In practice, that means surfacing the files around the code that can still change operational behaviour in meaningful ways.

Why this category matters now

As more teams adopt AI coding assistants, local agents, repo-aware automation, and tool-using orchestration systems, the repository itself becomes part of the execution environment. That changes what “safe enough to trust” means. The attack surface moves outward from application logic into instruction environments.

That is why Agent Artifact Firewall matters. It is built around a simple but important shift: before trusting a repository in an agent workflow, review the artifacts that shape agent behaviour.

What the product gives users

AAF Cloud Scan gives users a structured review surface rather than a vague AI answer. The verdict offers a fast top-level signal. Findings explain what was surfaced and why it matters. Severity summaries and artifact classes make the output easier to reason about. JSON and Markdown exports make the product usable inside real internal review and audit workflows.

The goal is not to claim perfect certainty. The goal is to reduce uncertainty before trust.

The trust model behind the product

Because this is a trust-review system, the product itself has to behave carefully. That is why AAF Cloud Scan is scoped to public repositories only, uses strict GitHub URL validation, applies size and rate limits, avoids target repo code execution, and relies on signed callback integrity. Those are not secondary details. They are part of the product promise.

Why Agent Artifact Firewall deserves attention

Security tools matter when they align with where real operational risk is moving. AI-enabled workflows are changing what makes a repository safe to trust. Agent Artifact Firewall is built for that transition. It is not just another code scanner. It is a focused review layer for the repository artifacts that can shape agent behaviour before anyone notices at runtime.

That is the core idea behind AAF Cloud Scan: a trust-first review system for the agent era, designed to help teams inspect risky repository artifacts before they become workflow problems.

Catch risky agent-facing repo files before they enter your workflow.

Repository review verdict

Prompt-injection language in SKILL.md

Unsafe hook execution path

MCP configuration exposure

Paste a public GitHub repository URL