A full-stack AI Red Teaming platform securing AI ecosystems via OpenClaw Security Scan, Agent Scan, Skills Scan, MCP scan, AI Infra scan and LLM jailbreak evaluation.
Why this rank:Strong adoptionRecent releaseHealthy release cadence
Description
A full-stack AI Red Teaming platform securing AI ecosystems via OpenClaw Security Scan, Agent Scan, Skills Scan, MCP scan, AI Infra scan and LLM jailbreak evaluation.
A.I.G (AI-Infra-Guard) integrates capabilities such as ClawScan(OpenClaw Security Scan), Agent Scan,AI infra vulnerability scan, MCP Server & Agent Skills scan, and Jailbreak Evaluation, aiming to provide users with the most comprehensive, intelligent, and user-friendly solution for AI security risk self-examination.
We are committed to making A.I.G(AI-Infra-Guard) the industry-leading AI red teaming platform. More stars help this project reach a wider audience, attracting more developers to contribute, which accelerates iteration and improvement. Your star is crucial to us!
# This method pulls pre-built images from Docker Hub for a faster start
git clone https://github.com/Tencent/AI-Infra-Guard.git
cd AI-Infra-Guard
# For Docker Compose V2+, replace 'docker-compose' with 'docker compose'
docker-compose -f docker-compose.images.yml up -d
Once the service is running, you can access the A.I.G web interface at:
http://localhost:8088
Use from OpenClaw
You can also call A.I.G directly from OpenClaw chat via the aig-scanner skill.
clawhub install aig-scanner
Then configure AIG_BASE_URL to point to your running A.I.G service.
# This method will automatically install Docker and launch A.I.G with one command
curl https://raw.githubusercontent.com/Tencent/AI-Infra-Guard/refs/heads/main/docker.sh | bash
Method 3: Build and run from source
git clone https://github.com/Tencent/AI-Infra-Guard.git
cd AI-Infra-Guard
# This method builds a Docker image from local source code and starts the service# (For Docker Compose V2+, replace 'docker-compose' with 'docker compose')
docker-compose up -d
Note: The AI-Infra-Guard project is positioned as an AI red teaming platform for internal use by enterprises or individuals. It currently lacks an authentication mechanism and should not be deployed on public networks.
Experience the Pro version with advanced features and improved performance. The Pro version requires an invitation code and is prioritized for contributors who have submitted issues, pull requests, or discussions, or actively help grow the community. Visit: https://aigsec.ai/.
✨ Features
Feature
More Info
ClawScan(OpenClaw Security Scan)
Supports one-click evaluation of OpenClaw security risks. It detects insecure configurations, Skill risks, CVE vulnerabilities, and privacy leakage.
Agent Scan
This is an independent, multi-agent automated scanning framework. It is designed to evaluate the security of AI agent workflows. It seamlessly supports agents running across various platforms, including Dify and Coze.
MCP Server & Agent Skills scan
It thoroughly detects 14 major categories of security risks. The detection applies to both MCP Servers and Agent Skills. It flexibly supports scanning from both source code and remote URLs.
AI infra vulnerability scan
This scanner precisely identifies over 55 AI framework components. It covers more than 1000 known CVE vulnerabilities. Supported frameworks include Ollama, ComfyUI, vLLM, n8n, Triton Inference Server and more.
Jailbreak Evaluation
It assesses prompt security risks using carefully curated datasets. The evaluation applies multiple attack methods to test robustness. It also provides detailed cross-model comparison capabilities.
💎 Additional Benefits
🖥️ Modern Web Interface: User-friendly UI with one-click scanning and real-time progress tracking
🔌 Complete API: Full interface documentation and Swagger specifications for easy integration
🌐 Multi-Language: Chinese and English interfaces with localized documentation
🐳 Cross-Platform: Linux, macOS, and Windows support with Docker-based deployment
🆓 Free & Open Source: Completely free under the Apache 2.0 license
🖼️ Showcase
A.I.G Main Interface
Plugin Management
🗺️ Quick Usage Guide
After deployment, open http://localhost:8088 in your browser.
AI Infrastructure Vulnerability Scan
What to enter as the target URL / IP?
The target is the network address of a running AI service you want to scan - not a GitHub URL or source code path. A.I.G connects to the live service and fingerprints it for known CVE vulnerabilities.
In the A.I.G web UI, click "AI基础设施安全扫描 / AI Infra Scan"
Enter http://127.0.0.1:8000 (or the IP/port where vLLM is listening)
Click Start Scan - A.I.G will fingerprint the service and match it against 1000+ known CVEs
View the report: component version, matched vulnerabilities, severity, and remediation links
💡 Tip: To scan the nightly build of vLLM specifically, just run that nightly build and point A.I.G at its address. The scanner detects the version automatically.
MCP Server & Agent Skills Scan
Enter either a remote URL (e.g. https://github.com/user/mcp-server) or upload a local source archive - no running instance required.
Jailbreak Evaluation
Configure the target LLM's API endpoint (base URL + API key) in Settings → Model Config, then select a dataset and start the evaluation.
For more detailed FAQs and troubleshooting guides, visit our documentation.
🔧 API Documentation
A.I.G provides a comprehensive set of task creation APIs that support AI infra scan, MCP Server Scan, and Jailbreak Evaluation capabilities.
After the project is running, visit http://localhost:8088/docs/index.html to view the complete API documentation.
For detailed API usage instructions, parameter descriptions, and complete example code, please refer to the Complete API Documentation.
📝 Contribution Guide
The extensible plugin framework serves as A.I.G's architectural cornerstone, inviting community innovation through Plugin and Feature contributions.
Plugin Contribution Rules
Fingerprint Rules: Add new YAML fingerprint files to the data/fingerprints/ directory.
Vulnerability Rules: Add new vulnerability scan rules to the data/vuln/ directory.
MCP Plugins: Add new MCP security scan rules to the data/mcp/ directory.
Jailbreak Evaluation Datasets: Add new Jailbreak evaluation datasets to the data/eval directory.
Please refer to the existing rule formats, create new files, and submit them via a Pull Request.
Thanks to all the developers who have contributed to the A.I.G project, Your contributions have been instrumental in making A.I.G a more robust and reliable AI Red Team platform.
🤝 Appreciation for Our Users
We are deeply grateful to the following teams and organizations for their trust, and valuable feedback in using A.I.G.
For collaboration inquiries or feedback, please contact us at: zhuque@tencent.com
🔗 Recommended Security Tools
If you are interested in code security, check out A.S.E (AICGSecEval), the industry's first repository-level AI-generated code security evaluation framework open-sourced by the Tencent Wukong Code Security Team.
📖 Citation
If you use A.I.G in your research, please cite:
@misc{Tencent_AI-Infra-Guard_2025,
author={{Tencent Zhuque Lab}},
title={{AI-Infra-Guard: A Comprehensive, Intelligent, and Easy-to-Use AI Red Teaming Platform}},
year={2025},
howpublished={GitHub repository},
url={https://github.com/Tencent/AI-Infra-Guard}
}
📚 Related Papers
We are deeply grateful to the research teams who have used A.I.G in their academic work and contributed to advancing AI security research:
[1] Naen Xu, Jinghuai Zhang, Ping He et al. "FraudShield: Knowledge Graph Empowered Defense for LLMs against Fraud Attacks." arXiv preprint arXiv:2601.22485v1 (2026). [pdf]
[2] Ruiqi Li, Zhiqiang Wang, Yunhao Yao et al. "MCP-ITP: An Automated Framework for Implicit Tool Poisoning in MCP." arXiv preprint arXiv:2601.07395v1 (2026). [pdf]
[3] Jingxiao Yang, Ping He, Tianyu Du et al. "HogVul: Black-box Adversarial Code Generation Framework Against LM-based Vulnerability Detectors." arXiv preprint arXiv:2601.05587v1 (2026). [pdf]
[4] Yunyi Zhang, Shibo Cui, Baojun Liu et al. "Beyond Jailbreak: Unveiling Risks in LLM Applications Arising from Blurred Capability Boundaries." arXiv preprint arXiv:2511.17874v2 (2025). [pdf]
[5] Teofil Bodea, Masanori Misono, Julian Pritzi et al. "Trusted AI Agents in the Cloud." arXiv preprint arXiv:2512.05951v1 (2025). [pdf]
[6] Christian Coleman. "Behavioral Detection Methods for Automated MCP Server Vulnerability Assessment."[pdf]
[7] Bin Wang, Zexin Liu, Hao Yu et al. "MCPGuard : Automatically Detecting Vulnerabilities in MCP Servers." arXiv preprint arXiv:22510.23673v1 (2025). [pdf]
[8] Weibo Zhao, Jiahao Liu, Bonan Ruan et al. "When MCP Servers Attack: Taxonomy, Feasibility, and Mitigation." arXiv preprint arXiv:2509.24272v1 (2025). [pdf]
[9] Ping He, Changjiang Li, et al. "Automatic Red Teaming LLM-based Agents with Model Context Protocol Tools." arXiv preprint arXiv:2509.21011 (2025). [pdf]
[10] Yixuan Yang, Daoyuan Wu, Yufan Chen. "MCPSecBench: A Systematic Security Benchmark and Playground for Testing Model Context Protocols." arXiv preprint arXiv:2508.13220 (2025). [pdf]
[11] Zexin Wang, Jingjing Li, et al. "A Survey on AgentOps: Categorization, Challenges, and Future Directions." arXiv preprint arXiv:2508.02121 (2025). [pdf]
[12] Yongjian Guo, Puzhuo Liu, et al. "Systematic Analysis of MCP Security." arXiv preprint arXiv:2508.12538 (2025). [pdf]
📧 If you have used A.I.G in your research or product, or if we have inadvertently missed your publication, we would love to hear from you! Contact us here.
📄 License
This project is licensed under the Apache License 2.0. See the LICENSE file for details.
⚖️ License & Attribution
This project is open-sourced under the Apache License 2.0. We warmly welcome and encourage community contributions, integrations, and derivative works, subject to the following attribution requirements:
Retain notices: You must retain the LICENSE and NOTICE files from the original project in any distribution.
Product attribution: If you integrate AI-Infra-Guard's core code, components, or scanning engine into your open-source project, commercial product, or internal platform, you must clearly state the following in your product documentation, usage guide, or UI "About" page:
"This project integrates AI-Infra-Guard, open-sourced by Tencent Zhuque Lab."
Academic & article citation: If you use this tool in vulnerability analysis reports, security research articles, or academic papers, please explicitly mention "Tencent Zhuque Lab AI-Infra-Guard" and include a link to the repository.
Repackaging this project as an original product without disclosing its origin is strictly prohibited.
Release History
Version
Changes
Urgency
Date
v4.1.11
## [v4.1.11] - 2026-06-04 ### Changed - **Docs**: Add Wuhan University and Unicom Digital Tech logos to all READMEs (3af7f63) - **Docs**: Add v4.1.10 to What's New across all 9 README languages (5e0a6f4) ### Contributors Special thanks to @aigsec, @jucie-pie, @aig-doc-bot ---
High
6/4/2026
v4.1.10
## [v4.1.10] - 2026-05-28 ### Added - **Data**: Add CVE rules and fingerprints for new targets (junoclaw, lollms, sglang) (6054e45) - **Scan**: Support WebSocket agent providers (2c845e8) ### Fixed - **Scan**: Resolve uv run failures in Docker and improve dify version detection (23f098a) - **Chromium**: Add defer Close() to prevent zombie processes (b617bf7) - **Data**: Correct sglang fingerprint YAML structure (version as top-level key) (653cc9a) ### Changed - **Docs**: Add v4.1.9 to What's
## [v4.1.8] - 2026-05-14 ### Fixed - **Tools**: Make tool name lookup case-insensitive (2e76c7d) - **Vuln Rules**: Remove 143 duplicate GHSA files that have corresponding CVE references (bf06029) - **Vuln Rules**: Remove invalid fingerprints (chatgpt-mcp-server/pptagent), fix GHSA-9p3r YAML format (8a19ff8) - **Vuln Rules**: Restore GHSA files added upstream after base commit (6cdecfd) ### Changed - **Docs**: Add invitation code application link to all README files (08c356a) - **Docs**: Add 1
High
5/14/2026
v4.1.7
## [v4.1.7] - 2026-04-30 ### Changed - **Docs**: Update README What's New section with v4.1.6 highlights, update component count (57→58) and vulnerability stats across all 9 README languages (75946d1) - **Users**: Update user list (7c2a7f1) ### Contributors Special thanks to @jucie-pie, @aigsec, @aig-doc-bot ---
High
4/30/2026
v4.1.6
## [v4.1.6] - 2026-04-23 ### Added - **Docker**: Add git to runtime dependencies in Dockerfile (69f7430) - **Vuln Rules**: Add AIG vulnerability rules [2026-04-23] (#350) - **Vuln Rules**: Detect exposed AI agent config files (claude_desktop_config.json, mcp.json, etc.) (#340) - **Vuln Rules**: Add Trae IDE and CodeBuddy MCP config paths, extend .env key patterns - **Data Sync**: Replace zip download with git clone, remove github_token dependency (#327) - **Manual Updates**: Support manual upda
High
4/23/2026
v4.1.5
## [v4.1.5] - 2026-04-23 ### Added - **Agent Scan**: Add jailbreak detection support and implement ModelJailbreak task (45d171b) - **Vuln Rules**: Detect exposed AI agent config files (claude_desktop_config.json, mcp.json, etc.) (18049bc) - **Vuln Rules**: Add Trae IDE and CodeBuddy MCP config paths, extend .env key patterns (59f4bd9) - **Data Sync**: Replace zip download with git clone, remove github_token dependency (b7ce189) - **Manual Updates**: Support manual updates to the latest jailbrea
High
4/23/2026
v4.1.4
## [v4.1.4] - 2026-04-17 ### Security - **TLS**: Support HTTPS connections with self-signed/private CA certificates for model endpoints; add InsecureSkipVerify option (#306, closes #302) ### Added - **MCP Scan**: Add multi-turn red team attack module with TAP and Crescendo strategies (#299) - **System API**: Add data auto-sync API (`POST /api/v1/system/update-data`, `GET /api/v1/system/update-status`) for syncing `data/` directory (#301) - **Agent Scan API**: Support inline `agent_config` in a
High
4/17/2026
v4.1.3
## [v4.1.3] - 2026-04-09 ### Fixed - **Fingerprint**: Add version extractor to OpenClaw fingerprint for accurate version detection (#286) - **MCP Scan**: Harden agent loop and path validation, clean up config (#282) ### Changed - **Vulnerability Rules**: Remove duplicate GHSA files already covered by CVE entries (OpenClaw dedup) ### Documentation - Add quick usage guide with concrete scan target examples (issue #281) - Sync env.example context window vars, update install and test commands for
High
4/9/2026
v4.1.2
## [v4.1.2] - 2026-04-03 ### Fixed - **Task Control**: Added support for stopping running tasks, allowing users to actively terminate scans in progress - **AI Infra Scan**: Fixed a bug where the "No Model" option could not be selected in AI infrastructure scan task configuration, preventing users from creating model-free scan tasks - **AI Infra Scan**: Fixed double-dot filename bug in scan file upload that caused certain filenames to be incorrectly rejected - **AI Infra Scan**: Fixed concurrent
Medium
4/3/2026
v4.1.1
## [v4.1.1] - 2026-03-25 ### Added - **New Vulnerability Rules**: Added AIG rules batch [2026-03-25], expanding AI component vulnerability detection coverage - **Fingerprint Enhancement**: Added correct new-api fingerprint matcher syntax (FOFA 100%) ### Fixed - **Security**: Mask token fields in GetTaskDetail response to prevent credential leakage (#226) - **MCP Scan**: Fix missing imports and mcp_tool alias in mcp_tool module - **Documentation**: Fix incorrect license name in README.md; fix M
Medium
3/25/2026
v4.1
## [v4.1] - 2026-03-23 ### Added - **New Scan Port**: Added port 18789 to the default AI infrastructure scan port list for broader AI component coverage - **New Vulnerability Rules**: Added AIG Rules (2026-03-20 batch), continuously expanding the AI component vulnerability detection rule library - **OpenClaw Vulnerability Database**: Added 281 new CVE/GHSA entries for OpenClaw components, covering a wide range of AI infrastructure security advisories - **YAML CI/CD Validation**: Introduced auto
Medium
3/23/2026
v4.0
AI-Infra-Guard v4.0 is officially released! This major update brings significant advancements to our security evaluation capabilities. We are thrilled to highlight the enhanced **EdgeOne ClawScan**, providing a dedicated and comprehensive security portal for OpenClaw. Alongside this, we are introducing the brand-new and entirely independent **Agent-Scan Framework**, plus multiple system optimizations. ## 🌟 Highlight: EdgeOne ClawScan (OpenClaw Security Scan) To provide robust and dedicated se
## [v3.6.0] - 2026-01-17 ### Added - 🔐 **System Administration**: Added SYS_ADMIN capability for Chrome sandbox and database indexes for performance enhancement (@zhuque) - 📊 **Report Enhancement**: Updated feature and pager, resolved text misalignment in PDF report download (@zonashi) - 📝 **User Guide**: Updated user guide for new features (@zonashi) - ⏱️ **Scan Metrics**: Added model & scan duration in AI tool protocol scan report (@zonashi) - 👥 **User Management**: Refactored User
## [v3.5.0] - 2025-12-26 ### Added - 📚 **Research & Documentation**: Added AIG Technical Report, Black Hat Europe 2025 slides, and Black Hat Arsenal presentation (@hermitgreen, @Nicky, @LouisHovaldt) - 🎓 **Academic Collaborations**: Added academic collaboration section with partner institutions (@zonashi) - 🔍 **Dynamic Analysis Framework**: Complete dynamic analysis workflow with specialized agents for malicious behavior testing and vulnerability testing (@sc, @MoonBirdLin) - 🛡️ **Sec
Low
12/26/2025
v3.5-rc3
## [v3.5-rc3] - 2025-12-10 - fixed mcp-scan not found directory bug - update frontend
Low
12/9/2025
v3.5-preview-2
## [v3.5-rc2] - 2025-12-05 <img width="1127" height="788" alt="image" src="https://github.com/user-attachments/assets/2980cb82-ad44-4c2b-886d-e9a598be0e0f" /> ### Changed - Improved the onboarding guide for frontend newcomers - Vulnerability database: Added 100+ AI component CVEs, with support for detecting the latest React2Shell vulnerability (CVE-2025-55182), which affects popular AI frameworks such as Dify, NextChat, and LobeChat.
## [v3.4.4] - 2025-11-05 ### Fixed 1. Fixed issue where prompts could be incorrectly split 2. Added generalized model loading logs 3. Added model loading parameter combination attempts 4. Fixed model invocation parameter compatibility issue 5. Optimized log display 6. Fixed https://github.com/Tencent/AI-Infra-Guard/issues/110
Low
11/5/2025
v3.4.3
## [v3.4.3] - 2025-10-27 ### Added 🔧 **API Documentation Support**: Updated and enhanced API documentation support, providing more complete interface documentation and Swagger specifications. 🤖 **Model Invocation Base Class**: Added base class methods for model invocation, improving code reusability and maintainability. 📊 **Evaluation Dataset Expansion**: Added test datasets related to Cyberattack and CBRN weapons. ### Fixed 🛠️ **CSV Encoding Issue**: Fixed Chinese garbled text issue
## [v3.4] - 2025-09-18 ### Added 🌐 **Internationalization Support**: Implemented frontend interface internationalization (i18n) support, including multi-language text and English screenshot resources. 🐳 **Docker Enhancement**: Updated one-click deployment script, added Docker pull error information prompt, and supported Apple ARM architecture deployment. ⚡ **Task Concurrency Control**: Added task concurrency limit feature, optimized system resource management. 🔄 **Model Retry Logic**: Up
Low
9/18/2025
v3.3
- Added one-click Docker deployment script for Linux - Fixed SSE connection failure issue when disk read/write is slow - Optimized AI infrastructure scanning probe
Low
9/3/2025
v3.2
## [v3.2] - 2025-08-26 ### Added - 📊 **MCP Scan Report Optimization**: Added more dimensions of detection data display, improving user experience. - 📱 **Narrow Screen Security Report Adaptation**: Optimized the display of large model security check reports on narrow screens. - ⚙️ **New Model Concurrency Limit**: Introduced new model concurrency limit feature. ### Fixed - 🔌 **Fixed MCP SSE Timeout Issue**: Resolved the timeout issue of Server-Sent Events (SSE) in MCP (Model Contr
agentroveYour own Claude Code UI, sandbox, in-browser VS Code, terminal, multi-provider support (Anthropic, OpenAI, GitHub Copilot, OpenRouter), custom skills, and MCP servers.v0.1.38
agentscopeBuild and run agents you can see, understand and trust.v2.0.1
Ollama-Terminal-AgentAutomate shell tasks using a local Ollama model that plans, executes, and fixes commands without cloud or API dependencies.main@2026-06-04
agenticaAgentica: Lightweight async-first Python framework for AI agents. 轻量级异步优先的AI Agent框架,支持工具调用、RAG、多智能体和MCP。v1.4.6
medusaAI-first security scanner with 76 analyzers, 9,600+ detection rules, and repo poisoning detection for AI/ML, LLM agents, and MCP servers. Scan any GitHub repo with: medusa scan --git user/repov2026.5.11
More from Tencent
WeKnoraLLM-powered framework for deep document understanding, semantic retrieval, and context-aware answers using RAG paradigm.
More in MCP Servers
claude-plugins-officialOfficial, Anthropic-managed directory of high quality Claude Code Plugins.
langchain4jLangChain4j is an open-source Java library that simplifies the integration of LLMs into Java applications through a unified API, providing access to popular LLMs and vector databases. It makes impleme
hyperframesWrite HTML. Render video. Built for agents.
claude-code-guideClaude Code Guide - Setup, Commands, workflows, agents, skills & tips-n-tricks go from beginner to power user!
