AI-Infra-Guard
AI-Infra-Guard is an open-source red teaming platform from Tencent that scans AI systems, agents, skills, and LLMs for security vulnerabilities including jailbreaks and prompt injection attacks. It provides multiple scanning modules (OpenClaw Security Scan, Agent Scan, Skills Scan, MCP Scan, AI Infra Scan) accessible via web UI, Docker, or programmatic API.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | Tencent/AI-Infra-Guard |
| Owner | Tencent |
| Primary language | Python |
| License | Apache-2.0 — OSI-approved |
| Stars | 4.1k |
| Forks | 393 |
| Open issues | 18 |
| Latest release | v4.1.15 (2026-06-25) |
| Last updated | 2026-07-08 |
| Source | https://github.com/Tencent/AI-Infra-Guard |
What AI-Infra-Guard is
Python-based full-stack platform offering integrated vulnerability detection across AI components (68+ AI frameworks), LLM jailbreak evaluation, MCP server scanning, agent security assessment, and skill trust validation. Recent releases (v4.1.10–v4.1.15) expanded CVE coverage to 600+ rules, added WebSocket agent support, and introduced threat detection for tool poisoning and credential exfiltration.
Get the AI-Infra-Guard source
Clone the repository and explore it locally.
git clone https://github.com/Tencent/AI-Infra-Guard.gitcd AI-Infra-Guard# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Docker 20.10+ and 4GB+ RAM minimum; 10GB+ disk space recommended. Docker Compose V2+ syntax supported; verify your container runtime version before deployment.
- No built-in authentication; restrict network access and deploy only in trusted internal environments. Requires reverse proxy or firewall rules if accessed remotely.
- LLM API key management: model.token field now optional (v4.1.15) with system default fallback; review how credentials are stored and rotated in your environment.
- Integration points: web UI at `http://localhost:8088`, REST API for programmatic access, OpenClaw skill integration via `aig-scanner` or `aig-agent-redteam` skills, pip-installable `aig-skill-scan` for CI/CD.
- Skill assessment aligns with SkillTrustBench T01–T09 taxonomy (credential exfiltration, tool poisoning, command injection, etc.); map these to your internal risk classification scheme.
When to avoid it — and what to weigh
- Requiring authentication and role-based access control — README explicitly states project lacks authentication and should not be deployed on public networks; intended for internal enterprise use only. RBAC features not mentioned in data.
- Need for guarantee of detection accuracy without tuning — Data does not specify false positive/negative rates, detection accuracy benchmarks, or claim to catch all vulnerability classes. Requires validation against your threat model.
- Expecting commercial support or SLA guarantees — Community-driven open-source project. Unknown commercial support model or upstream response commitments. No SLA or guaranteed patching timeline documented.
- Isolated scanning without AI system integration — Designed as a full-stack platform requiring integration with your AI infrastructure (agents, LLMs, MCP servers). Not a standalone static analysis tool for offline code review.
License & commercial use
Apache License 2.0 (permissive OSI license). Allows commercial use, modification, and distribution with attribution. Derivative works must retain the Apache 2.0 license. No patent grant restrictions noted in standard Apache 2.0 terms.
Apache 2.0 permits commercial deployment and use. However: (1) no explicit commercial support or warranty is documented; (2) project README notes it is 'for internal use by enterprises or individuals' and lacks authentication, suggesting it is not intended as a commercial SaaS product; (3) reliance on upstream LLM APIs (e.g., OpenClaw, DeepSeek) may incur API costs; (4) Tencent may change the project, roadmap, or licensing at any time. Recommend legal review before embedding in critical commercial workflows.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Strong |
| Assessment confidence | High |
Platform design: intended for AI red teaming (adversarial testing), so it will attempt jailbreaks, prompt injection, and other attack vectors as part of normal operation. Operational security: lacks authentication and should not be internet-exposed. Network isolation required. LLM API keys must be managed securely (v4.1.15 introduced optional token handling with system defaults). Scanning coverage: 68 AI components and 600+ CVE rules documented; no third-party security audit or penetration test results provided. Artifact handling: unknown if scan results (potentially containing sensitive model outputs, LLM prompts, credentials) are logged, encrypted, or retained. Upstream risks: depends on external LLM APIs (DeepSeek, etc.) and OpenClaw; no offline mode mentioned.
Alternatives to consider
Garak (National Cybercareer Centre Canada)
Open-source LLM security testing framework. Focused narrowly on prompt injection and jailbreak evaluation; lacks agent/MCP/infra scanning and full-stack platform features. Lighter-weight alternative if you only need LLM red teaming.
OpenAI Red Teaming / Internal Red Teaming Suites
Proprietary, model-specific, or research-only tooling. May have higher accuracy on specific models but not portable across enterprises or open-source agents. Commercial support available, but licensing and cost differ significantly.
Hugging Face SafetyKit / Community Security Tools
Lightweight, modular open-source components for prompt security or model evaluation. Lack the integrated agent/MCP/infra scanning and comprehensive CVE rule library; suitable for targeted, ad-hoc testing rather than enterprise-wide posture assessment.
Build on AI-Infra-Guard with DEV.co software developers
Get started with AI-Infra-Guard: deploy via Docker in minutes, scan your agents and LLMs for vulnerabilities, and integrate security testing into your CI/CD pipeline. Review documentation and try the platform on your internal network.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
AI-Infra-Guard FAQ
Can I use AI-Infra-Guard in production on the internet?
Does it support my LLM provider (OpenAI, Claude, Anthropic, etc.)?
What is the cost and is there commercial support?
How accurate is the vulnerability detection?
Custom software development services
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If AI-Infra-Guard is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.
Secure Your AI Infrastructure Today
Get started with AI-Infra-Guard: deploy via Docker in minutes, scan your agents and LLMs for vulnerabilities, and integrate security testing into your CI/CD pipeline. Review documentation and try the platform on your internal network.