molecule-ai/molecule-ai-plugin-molecule-security-scan
49
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
31 Commits 11 Branches 1 Tag
main
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
devops-engineer 0e6eb14b04
CI / validate (push) Successful in 14s
Details
Merge pull request 'ci: remove gitea-merge-queue schedule: (queue absorbed into operator conductor)' (#18) from ci/absorb-queue-schedule-into-conductor into main
2026-06-10 16:17:57 +00:00
.gitea
ci: remove gitea-merge-queue schedule (absorbed into operator conductor, operator-config#194)
2026-06-10 10:15:54 +00:00
.molecule-ci/scripts
import from local vendored copy (2026-05-06)
2026-05-06 13:53:30 -07:00
adapters
fix(adapters): add missing deepagents.py adapter
2026-05-16 04:13:56 +00:00
runbooks
docs(install): migrate git clone URL to git.moleculesai.app (#37)\n\nAnonymous git-clone refs in CLAUDE.md, runbooks/local-dev-setup.md migrated github.com/Molecule-AI \u2192 git.moleculesai.app/molecule-ai. Public repo, no auth-shape change. Same pattern as the other plugin-* sweeps in the #37 series.\n\nRefs: molecule-ai/internal#37, molecule-ai/internal#38, molecule-ai/internal#42
2026-05-07 00:01:11 -07:00
skills/skill-cve-gate
feat: add claude_code adapter to resolve runtime gap (internal#266)
2026-05-11 03:39:16 +00:00
tests
feat: add claude_code adapter to resolve runtime gap (internal#266)
2026-05-11 03:39:16 +00:00
.gitignore
chore: append Python ignores to .gitignore
2026-05-10 16:19:52 +00:00
CLAUDE.md
docs(install): migrate git clone URL to git.moleculesai.app (#37)\n\nAnonymous git-clone refs in CLAUDE.md, runbooks/local-dev-setup.md migrated github.com/Molecule-AI \u2192 git.moleculesai.app/molecule-ai. Public repo, no auth-shape change. Same pattern as the other plugin-* sweeps in the #37 series.\n\nRefs: molecule-ai/internal#37, molecule-ai/internal#38, molecule-ai/internal#42
2026-05-07 00:01:11 -07:00
known-issues.md
import from local vendored copy (2026-05-06)
2026-05-06 13:53:30 -07:00
plugin.yaml
import from local vendored copy (2026-05-06)
2026-05-06 13:53:30 -07:00
README.md
feat: add claude_code adapter to resolve runtime gap (internal#266)
2026-05-11 03:39:16 +00:00

README.md

molecule-security-scan

Supply-chain CVE gate for skill dependencies. Runs Snyk or pip-audit against a skill's requirements.txt before the skill loads, blocking or warning on critical/high CVEs.

How it works

Before a skill is activated, the plugin:

  1. Locates the skill's requirements.txt (in skills/<name>/)
  2. Runs pip-audit (default) or snyk test (if configured)
  3. Filters findings by severity threshold
  4. Blocks or warns based on config

Critical/High CVEs block by default. Medium/Low warn.

Install

In org template (org.yaml)

plugins:
  - molecule-security-scan

From URL (community install)

github://Molecule-AI/molecule-ai-plugin-molecule-security-scan

Configuration

security_scan:
  mode: block       # or: warn
  min_severity: high # block CVEs at or above this level
  scanner: pip-audit # or: snyk
  snyk_token_env: SNYK_TOKEN  # env var name for Snyk token

Runtimes

  • langgraph — primary
  • claude_code — supported
  • deepagents — supported

Skills

  • skill-cve-gate — agent guidance on CVE findings

Architecture

skills/
  skill-cve-gate/
    SKILL.md   # Agent-side guidance on when to activate the CVE gate
adapters/
  claude_code.py  # Installs skill via AgentskillsAdaptor; CVE gate is a pre-load
                  # hook inside the skill loader, not an agent-callable tool
runbooks/
  setup.md        # Snyk token setup, pip-audit installation

Known issues

See known-issues.md.

License

Business Source License 1.1 — © Molecule AI.

Reference in New Issue View Git Blame Copy Permalink
S
Description
No description provided
Readme 106 KiB
Languages
Python 100%