Add Prism Scanner to Ecosystem Tools section

[aidongise-cell]

Summary

Adds Prism Scanner to the Ecosystem Tools section alongside AgentShield and Plankton.

(Previous PR #562 incorrectly placed the entry in the v1.6.0 changelog. This PR puts it in the right section.)

Prism Scanner complements AgentShield by focusing on a different attack surface:

• AgentShield scans your local Claude Code config (CLAUDE.md, settings, hooks, MCP configs)
• Prism Scanner scans third-party code (skills, plugins, MCP servers) before you install them

Key features:

• 39+ detection rules with AST taint tracking
• A-F grading with actionable recommendations
• Post-uninstall system residue cleanup
• Open source, Apache 2.0

Install: pip install prism-scanner

---

Summary by cubic

Added prism-scanner to the Ecosystem Tools section of the README as a supply-chain security scanner for third‑party agent skills, plugins, and MCP servers. Includes install and quick usage example, key features (39+ rules, A–F grading, residue cleanup), supported outputs (terminal/JSON/HTML/SARIF), and links to GitHub, PyPI, and its MCP server.

^{Written for commit 02c1080. Summary will update on new commits.}

Summary by CodeRabbit

Documentation

• Added comprehensive documentation for Prism Scanner, a new open-source security scanning tool designed specifically for AI Agent skills, plugins, and MCP servers. Covers detailed installation instructions, full scanning capabilities including 39+ security rules, AST taint tracking, signature matching, metadata analysis, post-uninstall residue detection, grading system, and multiple output format options.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new section documenting Prism Scanner—an open-source security scanner for AI Agent skills, plugins, and MCP servers—has been added to the README.md between the AgentShield and Plankton sections, including installation instructions, scanning capabilities, and output formats.

Changes

Cohort / File(s)	Summary
Documentation README.md	Added new section for Prism Scanner with installation snippet, 39+ security rules, AST taint tracking, signature matching, metadata analysis, and output format details.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A scanner joins the warren's guard,
With 39 rules to work so hard,
Finding risks in plugins deep,
Keeping AI Agent supplies safe and neat!
~CodeRabbit Poeteer 🌙

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly matches the PR's main objective: adding Prism Scanner to the Ecosystem Tools section in README.md.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds a single-entry documentation change to README.md, inserting Prism Scanner into the Ecosystem Tools section between AgentShield and Plankton. The formatting, heading style, and bold-section structure are all consistent with the surrounding entries.

Key observations:

• Self-promotional PR: The PR author (aidongise-cell) is the same account that owns the linked GitHub repository (github.com/aidongise-cell/prism-scanner). Maintainers should verify this meets the project's community-contribution policy before merging.
• "ClawHub" reference: Line 506 mentions ClawHub as a registry Prism Scanner covers, alongside npm and pip. ClawHub is not a widely-known platform and is not linked or described anywhere. This may overstate the tool's coverage or mislead users unfamiliar with the name.
• Unverifiable claims at review time: Feature claims (39+ rules, A-F grading, SARIF output) cannot be verified from the diff alone; maintainers may wish to spot-check the linked PyPI package and GitHub repo.
• No emoji prefix: Plankton uses 🔬 in its heading; the new entry does not. This was already inconsistent with AgentShield (which also lacks an emoji), so it is not introduced by this PR.
• Low risk overall — this is a documentation-only change with no code impact.

Confidence Score: 4/5

• Documentation-only change with no code impact; safe to merge after verifying the "ClawHub" reference and community-contribution policy.
• The change is confined to a single README entry, follows established formatting conventions, and introduces no executable code. The minor concern around the unlinked "ClawHub" platform reference and the self-promotional nature of the PR are editorial rather than technical issues, hence a score of 4 rather than 5.
• README.md — specifically line 506 where the unverified "ClawHub" platform is mentioned.

Important Files Changed

Filename	Overview
README.md	Adds Prism Scanner entry to the Ecosystem Tools section between AgentShield and Plankton; formatting is consistent with existing entries, but "ClawHub" is an obscure/unverified platform reference and the PR is self-promotional (author owns the linked repo).

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Developer] -->|Local config audit| B[AgentShield]
    A -->|Pre-install scan| C[Prism Scanner]
    A -->|Write-time quality| D[Plankton]

    B --> B1[CLAUDE.md\nsettings.json\nhooks / MCP configs]
    C --> C1[Third-party skills\nplugins\nMCP servers]
    C1 --> C2{39+ Detection Rules\nAST taint tracking\nSignature matching}
    C2 --> C3[A-F Grade\nJSON / HTML / SARIF report]
    C3 --> C4[Post-uninstall\nresidue cleanup]

    D --> D1[Formatters + 20+ linters\non every file edit]

Loading

_{Last reviewed commit: "Add Prism Scanner to..."}

[greptile-apps]

Unverified "ClawHub" platform reference

The description mentions ClawHub as a platform Prism Scanner indexes, alongside npm and pip. ClawHub does not appear to be a widely-known or publicly documented platform in the AI-agent/MCP ecosystem. Including it in marketing copy alongside established registries (npm, pip) without a link or explanation may confuse readers or overstate the tool's coverage.

Consider either linking to the ClawHub platform (e.g. [ClawHub](https://clawhub.io)) or removing the reference if it is a placeholder / under-development registry.

Suggested change

	**What it scans:** Agent skills, plugins, and MCP servers across ClawHub, npm, and pip with 39+ detection rules — AST-level taint tracking, malicious signature matching, metadata analysis, and post-uninstall system residue detection.
	**What it scans:** Agent skills, plugins, and MCP servers across npm and pip with 39+ detection rules — AST-level taint tracking, malicious signature matching, metadata analysis, and post-uninstall system residue detection.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@README.md`:
- Around line 499-513: Add the Apache-2.0 license information to the README for
prism-scanner: insert an SPDX short identifier and a visible license badge and a
short "License" section (mentioning Apache License 2.0 with a link to the full
text) near the project title/links, and ensure the README references the same
Apache-2.0 wording shown in the repository (so README.md, the prism-scanner
project name, and the existing GitHub/PyPI links reflect the licensed status).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f5c19c17-e7c4-4bfb-a969-8aaec26ebdfa

📥 Commits

Reviewing files that changed from the base of the PR and between 4bdbf57 and 02c1080.

📒 Files selected for processing (1)

• README.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add the Prism Scanner license to match the documented PR intent.

The new block omits the license detail (Apache 2.0), which is useful trust/compliance context for security tooling.

✏️ Proposed docs patch

 Open-source security scanner for AI Agent skills, plugins, and MCP servers. Complements AgentShield (which focuses on your local Claude Code config) by scanning third-party code *before* you install it.
+License: Apache 2.0.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 499 - 513, Add the Apache-2.0 license information to
the README for prism-scanner: insert an SPDX short identifier and a visible
license badge and a short "License" section (mentioning Apache License 2.0 with
a link to the full text) near the project title/links, and ensure the README
references the same Apache-2.0 wording shown in the repository (so README.md,
the prism-scanner project name, and the existing GitHub/PyPI links reflect the
licensed status).

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="README.md">

<violation number="1" location="README.md:512">
P2: User-facing docs now instruct users to install/run an external tool from an unvetted third-party repo/package, which violates the team policy to avoid linking to unapproved external repositories in docs (supply-chain risk).</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: User-facing docs now instruct users to install/run an external tool from an unvetted third-party repo/package, which violates the team policy to avoid linking to unapproved external repositories in docs (supply-chain risk).

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At README.md, line 512:

<comment>User-facing docs now instruct users to install/run an external tool from an unvetted third-party repo/package, which violates the team policy to avoid linking to unapproved external repositories in docs (supply-chain risk).</comment>

<file context>
@@ -494,6 +494,23 @@ Use `/security-scan` in Claude Code to run it, or add to CI with the [GitHub Act
+
+**Output formats:** Terminal, JSON, HTML, SARIF (GitHub Code Scanning integration).
+
+[GitHub](https://github.com/aidongise-cell/prism-scanner) | [PyPI](https://pypi.org/project/prism-scanner/) | [MCP Server](https://mcp.so/server/prism-scanner)
+
 ### 🔬 Plankton — Write-Time Code Quality Enforcement
</file context>