---
name: shield.vainplex.dev
description: shield.vainplex.dev provides a single security scanning endpoint that analyzes AI skill, plugin, or tool manifests for supply chain risks before installation or execution. It evaluates manifests across 8 risk categories and returns a numeric risk score, a risk level classification, and structured findings. It does not perform runtime monitoring or general web vulnerability scanning.
host: shield.vainplex.dev
---

# shield.vainplex.dev

This host is a pre-execution security gate for AI agent ecosystems. It serves agents and orchestration platforms that need to vet third-party skills or plugins before integrating them. Its scope is narrow and deliberate: manifest-level supply chain analysis only, not broad security auditing.

## When to use this host

Use this host when an agent needs a security preflight check before installing or executing an AI skill, plugin, or tool manifest — particularly in automated pipelines where unvetted third-party skills could introduce supply chain risks. Do not use it for runtime monitoring of live services, general web application vulnerability scanning, network security assessments, or code static analysis beyond manifest inspection. For those needs, route to dedicated DAST/SAST tools or runtime observability platforms. This host is also not a substitute for full dependency auditing of software packages; it is scoped specifically to AI skill and plugin manifest formats.

## Capabilities

### Manifest Supply Chain Security

Scans an AI skill or plugin manifest for supply chain security risks across 8 categories, returning a risk score, risk level, and structured findings that an agent can act on before proceeding with installation or execution.

- **`scan-cdp-skill-security`** — Analyzes an AI skill or plugin manifest for supply chain security issues across 8 risk categories and returns a risk score, risk level, and structured findings.

## Skill reference

### `scan-cdp-skill-security`

**CDP Skill Supply Chain Security Scanner** — Analyzes an AI skill or plugin manifest for supply chain security issues across 8 risk categories and returns a risk score, risk level, and structured findings.

*Use when:* Use when an agent is about to install or execute an AI skill, plugin, or tool manifest and needs a security preflight check to detect supply chain risks before proceeding.

*Not for:* Do not use for general web vulnerability scanning or runtime monitoring of deployed services; this endpoint is scoped to AI skill/plugin manifest analysis only.

**Inputs:**

- `skill` (string, required) — Skill name from ClawHub or raw SKILL.md content to be scanned. Maximum 102400 characters.
- `demo` (boolean) — Enable demo mode. Defaults to false.
- `shieldapi_source` (string) — Optional campaign/source tag for attribution of paid calls (e.g. awesome-x402, langchain-recipe). Pattern: ^[a-zA-Z0-9_.:-]{1,80}$.

**Returns:** Returns riskScore, riskLevel (e.g. CLEAN), an empty or populated findings array, a plain-text summary, and scan metadata including categoriesChecked (8) and totalPatterns (204).

**Example:** `{"skill": "payments-connector"}`

---