Problems I Ran Into While Using A.I.G in My Academic Experiments

[lf9847249-sketch]

When I started using A.I.G in my research, it really helped me dig into the code and spot suspicious behavior — much better than traditional static analysis tools. Really appreciate the work behind it.

I did run into a couple of issues though:
Case 1: Slack MCP Server
A.I.G flagged a “command injection risk” in a normal chat_postMessage() call using formatted strings. This is standard Slack SDK usage, so it seems like the model doesn’t have enough context about Slack API patterns.

Case 2: Google Drive MCP
It flagged OAuth tokens in .env as “plaintext credential storage.” Technically true, but this is the official local-dev setup. I need to separate real vulnerabilities from normal dev practices, and right now that takes a lot of manual checking.
Suggestions
A basic MCP knowledge base to reduce these context-related false positives
Confidence scores instead of binary flags
Optional domain-specific plugins (Slack, GitHub, etc.)
Overall, A.I.G has been very helpful in my experiments, and I’m hoping it keeps improving.
Curious if the maintainers are considering an MCP knowledge base or plugin system — that would really help for research work.

[boy-hack]

This is a good idea, and we expect to introduce skill techniques to solve this problem.