SkillSpector is a comprehensive security scanner developed by NVIDIA for evaluating the safety of AI agent skills before installation. AI agent skills, which are used in platforms such as Claude Code, Codex CLI, and Gemini CLI, often execute with implicit trust and minimal vetting, making them susceptible to vulnerabilities and malicious behaviors. Research cited in the repository indicates that over a quarter of these skills contain vulnerabilities, and a significant percentage exhibit signs of malicious intent. SkillSpector addresses this risk by providing automated analysis to help users determine whether a skill is safe to install.
The tool is written in Python and is designed for flexibility and ease of use. It supports scanning multiple input formats, including Git repositories, URLs, zip files, directories, and individual files. SkillSpector analyzes skills for 64 distinct vulnerability patterns across 16 categories, such as prompt injection, data exfiltration, privilege escalation, supply chain risks, excessive agency, output handling, system prompt leakage, memory poisoning, tool misuse, rogue agent behaviors, trigger abuse, dangerous code patterns (via AST analysis), taint tracking, YARA signatures, MCP least privilege violations, and MCP tool poisoning. This broad coverage ensures that a wide range of potential security issues are detected.
SkillSpector employs a two-stage analysis pipeline. The first stage is a fast static analysis that quickly scans for known vulnerability patterns. The second, optional stage leverages large language models (LLMs) for semantic evaluation, providing deeper insights into potential risks that may not be evident through static analysis alone. Users can configure SkillSpector to use various LLM providers, including OpenAI, Anthropic, and NVIDIA's own inference gateway, as well as local OpenAI-compatible servers. This flexibility allows organizations to tailor the analysis to their preferred infrastructure and privacy requirements.
A notable feature of SkillSpector is its integration with OSV.dev for live vulnerability lookups. When scanning for supply chain risks, SkillSpector queries OSV.dev to retrieve real-time CVE data, ensuring that users are informed about known vulnerabilities in dependencies. If online access is unavailable, the tool automatically falls back to offline data, maintaining reliability.
SkillSpector provides multiple output formats to suit different workflows, including terminal output, JSON, Markdown, and SARIF reports. Each scan generates a risk score from 0 to 100, accompanied by severity labels and actionable recommendations. This scoring system helps users quickly assess the overall risk and prioritize remediation efforts.
The repository includes detailed documentation, such as a development guide outlining the architecture, package layout, and instructions for extending the analyzer pipeline. Installation is straightforward, with support for virtual environments and Docker, allowing users to run SkillSpector without installing Python locally. The Docker image is based on the official Python 3.12-slim-bookworm image, ensuring compatibility and security.
In summary, SkillSpector is a robust tool for proactively identifying vulnerabilities, malicious patterns, and security risks in AI agent skills. Its multi-format input support, extensive vulnerability pattern coverage, two-stage analysis pipeline, real-time CVE integration, flexible LLM configuration, and versatile reporting make it an essential solution for organizations seeking to secure their AI agent ecosystems.
