add skill security scanner with LLM intent review#11
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR introduces new network-facing capabilities (A2A HTTP endpoints and a XiaoZhi WebSocket channel), consolidates URL parsing into a shared helper, and adds a new Python-based “skill security scanner” script with optional LLM intent review.
Changes:
- Added shared
url_parse()utility and migrated multiple components to use it. - Added A2A server/client handler and wired it into the existing
ws_serveraccept path. - Added XiaoZhi channel (WSS control + Opus/UDP helpers) and new build/Kconfig knobs; added
scripts/skill_security_scan.py.
Reviewed changes
Copilot reviewed 24 out of 24 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| src/tools/tool_fetch_url.c | Switch URL parsing to shared url_parse() and reuse parsed host/port/path. |
| src/tools/mcp_client.c | Remove local URL parser; use shared url_parse(). |
| src/infra/url_parse.h | New shared URL parser interface. |
| src/infra/url_parse.c | New shared URL parser implementation. |
| src/infra/a2a_handler.h | New A2A protocol handler interface. |
| src/infra/a2a_handler.c | New A2A server/client implementation (HTTP routes + agent invoke bridge). |
| src/core/agent_mem.h | Change heap status reporting behavior under CONFIG_DEBUG_MM. |
| src/channels/xiaozhi_udp.h | New XiaoZhi UDP audio transport interface. |
| src/channels/xiaozhi_udp.c | New XiaoZhi UDP + AES-CTR packet transport implementation. |
| src/channels/xiaozhi_state.h | New XiaoZhi channel state machine definitions. |
| src/channels/xiaozhi_opus.h | New Opus wrapper interface for XiaoZhi. |
| src/channels/xiaozhi_opus.c | New Opus wrapper implementation (real + stub). |
| src/channels/xiaozhi_channel.h | New XiaoZhi WSS channel API. |
| src/channels/xiaozhi_channel.c | New XiaoZhi WSS channel implementation (OTA config fetch + reconnect). |
| src/channels/ws_server.c | Route initial HTTP traffic to A2A handler before WS upgrade. |
| src/channels/weixin_channel.c | Use shared url_parse() for base URL host extraction. |
| src/channels/nsh_commands.c | Add CLI command to set XiaoZhi OTA endpoint. |
| src/channels/feishu_http.c | Use shared url_parse() for WS URL parsing. |
| src/channels/cmd_llm.c | Use shared url_parse() for URL-based LLM backend config. |
| src/agent_main.c | Initialize/start/stop XiaoZhi channel when enabled. |
| scripts/skill_security_scan.py | New skill security scanning tool (static + optional LLM intent review). |
| Kconfig | Add new config toggles (BLE options, XiaoZhi channel). |
| include/agent_config.h | Add XiaoZhi config keys. |
| CMakeLists.txt | Add new sources; add conditional BLE/XiaoZhi source lists. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+207
to
+215
| if (url_parse(s_ws_url, &ws_parsed) != 0) { | ||
| syslog(LOG_ERR, "[%s] Invalid WS URL: %s\n", TAG, s_ws_url); | ||
| return -EINVAL; | ||
| } | ||
|
|
||
| memcpy(s_ws_host, ws_parsed.host, sizeof(s_ws_host)); | ||
| memcpy(s_ws_port, ws_parsed.port, sizeof(s_ws_port)); | ||
| memcpy(s_ws_path, ws_parsed.path, sizeof(s_ws_path)); | ||
|
|
Comment on lines
+216
to
+217
| syslog(LOG_INFO, "[%s] OTA OK: ws=%s token=%.20s...\n", | ||
| TAG, s_ws_url, s_ws_token); |
Comment on lines
+143
to
+150
| static void a2a_tap_cb(const agent_msg_t *msg, void *cookie) | ||
| { | ||
| a2a_invoke_ctx_t *ctx = (a2a_invoke_ctx_t *)cookie; | ||
| if (ctx->done) return; /* caller already timed out and moved on */ | ||
| if (msg->content) | ||
| ctx->response = strdup(msg->content); | ||
| sem_post(&ctx->sem); | ||
| } |
Comment on lines
+55
to
+68
| st->total_heap = 128 * 1024 * 1024; | ||
| st->free_heap = 128 * 1024 * 1024; | ||
| st->largest_block = 64 * 1024 * 1024; | ||
|
|
||
| #if !defined(CONFIG_DEBUG_MM) | ||
| /* Only call mallinfo when heap debug assertions are disabled, | ||
| * because CONFIG_DEBUG_MM enables strict node validation in | ||
| * mm_foreach that can assert on edge cases (e.g. tmpfs-only boot) */ | ||
| struct mallinfo mi = mallinfo(); | ||
| st->total_heap = mi.arena; | ||
| st->free_heap = mi.fordblks; | ||
| st->largest_block = mi.fordblks; /* conservative estimate */ | ||
| if (mi.arena > 0) { | ||
| st->total_heap = mi.arena; | ||
| st->free_heap = mi.fordblks; | ||
| st->largest_block = mi.fordblks; | ||
| } |
Comment on lines
+129
to
+133
| list(APPEND AGENT_SRCS src/infra/ble_gatt.c) | ||
| endif() | ||
|
|
||
| if(CONFIG_AI_AGENT_BLE_NET) | ||
| list(APPEND AGENT_SRCS src/infra/ble_net.c) |
| uint8_t* opus_out, size_t opus_cap, | ||
| uint32_t* out_sequence) | ||
| { | ||
| if (sockfd < 0 || !aes || !opus_out) |
Comment on lines
+102
to
+107
|
|
||
| mbedtls_aes_init(&ctx->aes); | ||
| int ret = mbedtls_aes_setkey_enc(&ctx->aes, key, 128); | ||
| if (ret != 0) { | ||
| syslog(LOG_ERR, "[%s] aes_setkey_enc failed: -0x%04x\n", | ||
| TAG, (unsigned)-ret); |
Comment on lines
+17
to
+19
| #ifndef __URL_PARSE_H__ | ||
| #define __URL_PARSE_H__ | ||
|
|
Comment on lines
+17
to
+19
| #ifndef __A2A_HANDLER_H__ | ||
| #define __A2A_HANDLER_H__ | ||
|
|
Comment on lines
+368
to
+378
| /* Peek HTTP headers to decide: A2A HTTP or WebSocket upgrade */ | ||
| char peek_buf[2048]; | ||
| int peek_total = 0; | ||
| while (peek_total < (int)sizeof(peek_buf) - 1) { | ||
| int n = recv(fd, peek_buf + peek_total, | ||
| sizeof(peek_buf) - 1 - peek_total, 0); | ||
| if (n <= 0) { close(fd); return NULL; } | ||
| peek_total += n; | ||
| peek_buf[peek_total] = '\0'; | ||
| if (strstr(peek_buf, "\r\n\r\n")) break; | ||
| } |
Static analysis + LLM-assisted security scanner for agent_skills. Detects dangerous tool usage, prompt injection, credential extraction, data exfiltration, and stealth instructions in skill markdown files. Features: - Tool risk scoring tailored to embedded device capabilities - Regex hard gates (critical findings cannot be overridden by LLM) - LLM intent review (--llm-review) to reduce false positives - Baseline diff mode (--baseline) for CI incremental scanning - 3-level disposition: pass / review / block Usage: python3 scripts/skill_security_scan.py [--llm-review] [--ci] Signed-off-by: zhouwenjie1 <zhouwenjie1@xiaomi.com>
skyxiaobai
force-pushed
the
sync-4-skill-scanner
branch
from
c3b839e to
83d863c
Compare
TangMeng12
approved these changes
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note: Please adhere to Contributing Guidelines.
Summary
Update this section with information on why change is necessary,
what it exactly does and how, if new feature shows up, provide
references (dependencies, similar problems and solutions), etc.
Impact
Update this section, where applicable, on how change affects users,
build process, hardware, documentation, security, compatibility, etc.
Testing
Update this section with details on how did you verify the change,
what Host was used for build (OS, CPU, compiler, ..), what Target was
used for verification (arch, board:config, ..), etc. Providing build
and runtime logs from before and after change is highly appreciated.