A Claude Code prompt that autonomously scaffolds a full AI artifact scanner CLI.
Paste the prompt into Claude Code and it builds artguard â a working Python CLI
that scans agent skills, MCP server configs, and IDE rule files for security threats,
privacy violations, and instruction-level attacks.
Enterprises are installing AI agent skills, MCP servers, and IDE rule files
(.cursorrules, .clinerules, .windsurfrules) with zero security review.
No existing scanner covers them.
Traditional scanners are built for code packages. AI artifacts are hybrid â part code, part natural language instructions â and the attack surface lives in the instructions themselves.
A YARA rule won't catch a skill that tells your coding agent to approve vulnerable PRs. Static analysis won't surface an artifact that claims "no data stored" while writing to disk.
| Artifact Type | Examples |
|---|---|
| Agent skill files | skills.md, skill.json, tool definitions |
| MCP server configs | mcp.json, server manifests |
| IDE rule files | .cursorrules, .clinerules, .windsurfrules |
| Plugin manifests | manifest.json, API schemas |
Layer 1 â Privacy posture analysis (differentiator) Detects the gap between what an artifact claims to do with your data and what it actually does. Undisclosed storage, covert telemetry, third-party sharing, retention policy mismatches.
Layer 2 â Semantic instruction analysis (differentiator) LLM-powered detection of behavioral manipulation, prompt injection, context poisoning, and goal hijacking in the instruction content itself.
Layer 3 â Static pattern matching (table stakes) Traditional malware patterns â credential harvesting, exfiltration endpoints, obfuscated code â backed by the best free scanners available.
Every scan produces a Trust Profile JSON â a structured AI Bill of Materials designed to feed policy engines, audit trails, and access controls. Not a safe/unsafe binary.
Composite Trust Score: 14 ââââââââââââââââââââ MALICIOUS đ´
ââ PRIVACY POSTURE âââââââââââââââââââââââââââ Score: 32/100 â
â [CRITICAL] PV3 Retention claim mismatch â
â Claims "no data stored" but writes to ~/.cache â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
ââ BEHAVIORAL INTENT âââââââââââââââââââââââââââââââââââââââââ
â [HIGH] S4 System prompt override detected â
â "Ignore all previous instructions and..." â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Requirements: Claude Code, Python 3.11+, an Anthropic API key (for Layer 2).
# 1. Create a new directory
mkdir artguard && cd artguard
# 2. Open Claude Code
claude
# 3. Paste the contents of prompt.md
# Claude Code will scaffold the full project autonomously
# 4. Scan an artifact
artguard scan path/to/skill.md
artguard scan path/to/mcp.json --deep # enables Layer 2 LLM analysis
artguard batch ./skills-directory/Layer 3 integrates YARA rules, heuristic engines, hash lookups, and IP reputation feeds from the best available open-source and free-tier sources â so you get broad coverage without vendor lock-in.
artguard/
âââ artguard/
â âââ cli.py # Click CLI entry point
â âââ schema.py # Finding, TrustProfile dataclasses
â âââ db.py # SQLite feedback corpus
â âââ parsers/ # One parser per artifact type
â âââ analyzers/
â â âââ layer1_privacy.py # Privacy posture analysis
â â âââ layer2_semantic.py # LLM semantic instruction analysis
â â âââ layer3_static.py # Static pattern matching (extractable)
â âââ trust_profile/ # Trust Profile builder + scorer
â âââ output/ # Terminal + export formatting
âââ tests/
â âââ fixtures/ # Benign + malicious sample artifacts
âââ scan_profiles/ # YAML policy configs
âââ prompt.md # â This file is the source of truth
The prompt is the source of truth. Improvements to detection patterns, new artifact parsers, or better YARA rules are all welcome â either as prompt edits or as PRs against the generated codebase.
If you stress-test this against real skill registries (ClawHub, skills.sh, npm MCP packages), findings and false positive rates are especially valuable.
MIT