Semantic Shield
Quick summary
AI skill safety validation powered by real human security experts. Before your agent installs a skill, plugin, or MCP tool — check its trust profile. Get a safety score (0–100), risk level, threat details, and a clear install/reject recommendation. If the skill hasn't been vetted yet, submit it for expert evaluation. Continuous 0-day monitoring keeps assessments current.
100% REAL human security staff with 30+ years of enterprise security experience, including US Homeland Security. No AI-only reviews — every skill is assessed by trusted experts.
Authentication
INLINECODE0� is always required. This is your personal API key generated when you create an account at https://dashboard.simplysemantics.com. It authenticates your requests and is scoped to your Semantic Shield account only — it does not grant access to any other Simply Semantics service or third-party system. You can revoke and regenerate your key at any time from the dashboard.
Privacy & data handling
- - What data is sent: Only skill identifiers (
skill_id), provider names (provider), and optionally a public skill URL (skill_url) when submitting a skill for evaluation. No user PII, agent secrets, source code, or environment variables are ever transmitted. - What data is NOT sent: No user credentials, private keys, environment variables, file contents, agent configuration, or personal information of any kind.
- Data retention: Skill safety assessments are stored in the Semantic Shield registry and are available to all users (they are public safety verdicts). Your account usage metrics (lookup/inquiry counts) are stored in your account only.
- API key handling: Your
SEMANTIC_SHIELD_API_KEY is used solely for request authentication. It is never logged, shared, or transmitted to third parties. - Webhook alerts (Pro+ tiers only): If you configure a webhook URL in the dashboard, Semantic Shield will POST notifications to your URL when a previously vetted skill's safety status changes (e.g. new threat detected). The webhook payload contains only the skill ID, provider, updated safety score, and risk level. You control the webhook URL and can disable it at any time. Free tier users do not have webhooks.
- No cross-service data sharing: Your Semantic Shield data is not shared with other Simply Semantics services (e.g. Semantic Prospect).
- Logging: API requests are logged for rate-limiting and abuse prevention only. Logs contain your API key hash (not the key itself), the endpoint called, skill_id, provider, and timestamp. Logs are retained for 30 days.
When to use this skill (activation triggers)
Activate Semantic Shield when the user or agent:
- - Is about to install, enable, or use an AI skill, plugin, tool, or MCP endpoint.
- Asks "is this skill safe?", "should I trust this plugin?", "check this tool's security", "vet this skill".
- Wants to look up a skill's safety score, risk level, or threat profile.
- Wants to submit an unknown or unvetted skill for expert security review.
- Needs to verify trust before autonomous agent action (install, execute, delegate).
- Asks about skill security, compliance, or risk assessment.
Do NOT use for:
- - General cybersecurity questions unrelated to AI skills/plugins.
- Scanning websites, IPs, or infrastructure (use dedicated security tools).
- PII lookup or identity verification.
- Code review or static analysis (Semantic Shield evaluates holistic skill risk, not line-by-line code).
How to use (instructions for the agent)
1. Search for a skill (free — no quota cost)
Check if a skill exists in the Semantic Shield database before using a lookup.
GET �INLINECODE5
Headers:
�CODEBLOCK0
Query parameters:
- -
q — skill name or ID (partial match) - INLINECODE7� — optional provider name filter
Example:
�CODEBLOCK1
Response:
�CODEBLOCK2
2. Check a skill's trust profile (costs 1 lookup)
Get full safety details for a specific skill.
GET �INLINECODE8
Headers:
�CODEBLOCK3
Query parameters:
- -
skill_id — exact skill identifier (required) - INLINECODE10� — exact provider name (required)
Example:
�CODEBLOCK4
Response (vetted):
�CODEBLOCK5
Response (not vetted — 404):
�CODEBLOCK6
3. Submit a skill for vetting (costs 1 inquiry)
If a skill is not in the database, submit it for expert evaluation. Only public skill identifiers and URLs are accepted — do not submit private source code, secrets, or internal URLs.
POST �INLINECODE11
Headers:
�CODEBLOCK7
Body:
�CODEBLOCK8
⚠️ skill_url should be a public URL only (e.g. a marketplace listing, GitHub repo, or documentation page). Do not submit private/internal URLs, source code repositories, or URLs containing secrets or tokens.
Response:
�CODEBLOCK9
4. Decision logic for agents
Based on the response, the agent should:
| safetyscore | risklevel | Action |
|---|
| 90–100 | safe | ✅ Install / proceed |
| 75–89 |
low | ✅ Install, note minor risks |
| 50–74 | medium | ⚠️ Warn user, ask for confirmation |
| 25–49 | high | ❌ Recommend against, require explicit override |
| 0–24 | critical | 🚫 Block installation, alert user |
| null | unknown | ⚠️ Not vetted — submit for review or warn user |
5. Edge cases
- - 401/403 → "Missing or invalid SEMANTICSHIELDAPI_KEY. Set the env var to use this skill."
- 429 → "Rate/quota limit reached — upgrade your plan or retry later."
- 404 → Skill not vetted. Offer to submit for evaluation or warn user.
- 500 → "Service temporarily unavailable. Try again shortly."
Output format
Present results clearly to the user:
CODEBLOCK10
Semantic Shield
快速摘要
由真实人类安全专家驱动的AI技能安全验证。在您的智能体安装技能、插件或MCP工具之前,请检查其信任档案。获取安全评分(0-100)、风险等级、威胁详情以及明确的安装/拒绝建议。如果技能尚未经过审查,可提交进行专家评估。持续零日监控确保评估始终最新。
100%真实人类安全人员,拥有30年以上企业安全经验,包括美国国土安全部。非纯AI审查——每项技能均由可信专家评估。
身份验证
SEMANTICSHIELDAPI_KEY 始终必需。这是您在 https://dashboard.simplysemantics.com 创建账户时生成的个人API密钥。它用于验证您的请求,并仅限定于您的Semantic Shield账户——不会授予任何其他Simply Semantics服务或第三方系统的访问权限。您可以随时在控制面板中撤销和重新生成密钥。
隐私与数据处理
- - 发送的数据:仅技能标识符(skillid)、提供商名称(provider),以及提交技能进行评估时可选填的公开技能URL(skillurl)。绝不传输任何用户个人身份信息、智能体机密、源代码或环境变量。
- 不发送的数据:不发送任何用户凭证、私钥、环境变量、文件内容、智能体配置或任何类型的个人信息。
- 数据保留:技能安全评估存储在Semantic Shield注册表中,所有用户均可查看(属于公开安全判定)。您的账户使用指标(查询/询问次数)仅存储在您的账户中。
- API密钥处理:您的SEMANTICSHIELDAPIKEY仅用于请求身份验证。绝不会被记录、共享或传输给第三方。
- Webhook警报(仅Pro+层级):如果您在控制面板中配置了webhook URL,当先前审查过的技能安全状态发生变化时(例如检测到新威胁),Semantic Shield将向您的URL发送POST通知。Webhook负载仅包含技能ID、提供商、更新后的安全评分和风险等级。您控制webhook URL并可随时禁用它。免费层级用户无webhook功能。
- 无跨服务数据共享:您的Semantic Shield数据不会与其他Simply Semantics服务(如Semantic Prospect)共享。
- 日志记录:API请求仅用于速率限制和滥用预防。日志包含您的API密钥哈希值(非密钥本身)、调用的端点、skillid、提供商和时间戳。日志保留30天。
何时使用此技能(触发条件)
当用户或智能体出现以下情况时,激活Semantic Shield:
- - 即将安装、启用或使用AI技能、插件、工具或MCP端点。
- 询问这个技能安全吗?、我应该信任这个插件吗?、检查这个工具的安全性、审查这个技能。
- 想要查找技能的安全评分、风险等级或威胁概况。
- 想要提交未知或未经审查的技能进行专家安全审查。
- 需要在自主智能体操作(安装、执行、委派)前验证信任度。
- 询问关于技能安全、合规性或风险评估的问题。
不要用于:
- - 与AI技能/插件无关的通用网络安全问题。
- 扫描网站、IP或基础设施(请使用专用安全工具)。
- 个人身份信息查询或身份验证。
- 代码审查或静态分析(Semantic Shield评估整体技能风险,而非逐行代码)。
使用方法(智能体操作指南)
1. 搜索技能(免费——不消耗配额)
在使用查询前,检查技能是否存在于Semantic Shield数据库中。
GET https://dashboard.simplysemantics.com/shield/api/v1/search
请求头:
text
x-api-key: ${SEMANTICSHIELDAPI_KEY}
查询参数:
- - q — 技能名称或ID(部分匹配)
- provider — 可选提供商名称筛选
示例:
GET https://dashboard.simplysemantics.com/shield/api/v1/search?q=weather&provider=example-ai
响应:
json
{
results: [
{ skill_id: weather-pro-v2, provider: example-ai }
],
count: 1
}
2. 检查技能信任档案(消耗1次查询)
获取特定技能的完整安全详情。
GET https://dashboard.simplysemantics.com/shield/api/v1/check
请求头:
text
x-api-key: ${SEMANTICSHIELDAPI_KEY}
查询参数:
- - skill_id — 精确技能标识符(必需)
- provider — 精确提供商名称(必需)
示例:
GET https://dashboard.simplysemantics.com/shield/api/v1/check?skill_id=weather-pro-v2&provider=example-ai
响应(已审查):
json
{
skill_id: weather-pro-v2,
provider: example-ai,
skill_url: https://example.com/weather-pro-v2,
vetted: true,
vetted_by: Simply Semantics,
safety_score: 92,
risk_level: safe,
risk_summary: 无已知漏洞。权限范围设置正确。,
threats_found: [],
recommendation: 可安全安装,
last_checked: 2026-02-28
}
响应(未审查——404):
json
{
skill_id: unknown-plugin,
provider: unverified-co,
vetted: false,
safety_score: null,
risk_level: unknown,
recommendation: 未经审查 - 安装风险自负,
message: 此技能尚未经过审查。请提交进行验证。,
submit_url: /api/v1/validate
}
3. 提交技能进行审查(消耗1次询问)
如果技能不在数据库中,请提交进行专家评估。仅接受公开技能标识符和URL——请勿提交私有源代码、机密或内部URL。
POST https://dashboard.simplysemantics.com/shield/api/v1/validate
请求头:
text
x-api-key: ${SEMANTICSHIELDAPI_KEY}
Content-Type: application/json
请求体:
json
{
skill_id: new-plugin-v1,
provider: some-provider,
skill_url: https://example.com/new-plugin
}
⚠️ skill_url 应仅为公开URL(例如市场列表、GitHub仓库或文档页面)。请勿提交私有/内部URL、源代码仓库或包含机密或令牌的URL。
响应:
json
{
message: 技能已提交评估。,
request_id: abc-123,
skill_id: new-plugin-v1,
provider: some-provider,
status: pending
}
4. 智能体决策逻辑
根据响应,智能体应执行以下操作:
| safetyscore | risklevel | 操作 |
|---|
| 90–100 | 安全 | ✅ 安装 / 继续 |
| 75–89 |
低风险 | ✅ 安装,注明轻微风险 |
| 50–74 | 中等风险 | ⚠️ 警告用户,请求确认 |
| 25–49 | 高风险 | ❌ 建议反对,需要明确覆盖 |
| 0–24 | 严重风险 | 🚫 阻止安装,提醒用户 |
| null | 未知 | ⚠️ 未经审查 — 提交审查或警告用户 |
5. 边界情况
- - 401/403 → 缺少或无效的SEMANTICSHIELDAPI_KEY。请设置环境变量以使用此技能。
- 429 → 已达到速率/配额限制 — 请升级您的套餐或稍后重试。
- 404 → 技能未经审查。提供提交评估或警告用户的选项。
- 500 → 服务暂时不可用。请稍后重试。
输出格式
向用户清晰呈现结果:
🛡️ Semantic Shield — 信任报告
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
技能: weather-pro-v2
提供商: example-ai
安全评分: 92/100 ✅
风险等级: 安全
建议: 可安全安装
威胁: 未检测到
最后检查: 2026年2月28日
审查方: Simply Semantics
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
