SkillSpector: NVIDIA's Open Source Security Scanner for AI Agent Skills

Why Agent Skill Security Suddenly Matters

AI coding agents like Claude Code, Codex CLI, and Gemini CLI are increasingly extended through skills - small bundles of instructions, prompts, and code that teach an agent to do something new. The problem is that most skills are installed with implicit trust and almost no vetting. You clone a repo, drop a `SKILL.md` into your agent, and from that moment its instructions run inside your context with access to your tools.

That is a real attack surface. Per the project, research shows that 26.1% of skills contain vulnerabilities and 5.2% show likely malicious intent. A skill can carry a hidden prompt injection, harvest your environment variables, fetch and execute remote code, or quietly persist itself on your machine.

SkillSpector is NVIDIA's open source answer to one simple question: "Is this skill safe to install?" It is a security scanner that inspects agent skills for vulnerabilities, malicious patterns, and risky behavior before they ever reach your agent.

> Adopting AI coding agents across your team? Book a free 30-minute architecture review and we will help you put safe skill-vetting guardrails in place.

What SkillSpector Is

SkillSpector is a Python 3.12+ command line tool, released under the Apache 2.0 license, that takes a skill as input, runs it through a layered analysis pipeline, and returns a risk score with a clear recommendation. It is designed to slot into the workflow developers already use: scan locally before installing, or wire it into CI so untrusted skills never merge.

The tool is built around three ideas:

• Meet the skill where it lives. Accept Git repos, URLs, zip files, directories, or a single file.
• Be fast by default, deep on demand. Run static analysis first, then add optional LLM semantic evaluation when you want it.
• Give an answer, not just data. Produce a 0-100 risk score with a severity label and a plain recommendation.

Key Features

• Multi-format input - scan Git repos, URLs, zip files, directories, or single files.
• 64 vulnerability patterns across 16 categories - covering prompt injection, data exfiltration, privilege escalation, supply chain, excessive agency, output handling, system prompt leakage, memory poisoning, tool misuse, rogue agent behavior, trigger abuse, dangerous code via AST inspection, taint tracking, YARA signatures, MCP least privilege, and MCP tool poisoning.
• Two-stage analysis - fast static analysis plus an optional LLM-powered semantic pass.
• Live vulnerability lookups - the supply chain check queries OSV.dev for real-time CVE data, with an automatic offline fallback.
• Multiple output formats - terminal, JSON, Markdown, and SARIF reports.
• Risk scoring - a 0-100 score with severity labels and a clear install recommendation.

How the Two-Stage Analysis Works

SkillSpector splits the work into two stages so you only pay for the depth you need.

Stage 1 - static analysis. This stage is fast and requires no API keys. It pattern-matches against the 64 built-in rules, parses code into an abstract syntax tree to catch dangerous calls like `exec()` and `eval()`, runs taint tracking to follow data from untrusted sources to dangerous sinks, and matches YARA signatures for known malware, webshells, and cryptominers. The supply chain rules can reach out to OSV.dev to flag dependencies with known CVEs.

Stage 2 - LLM semantic evaluation (optional). Static rules catch known shapes. The LLM pass catches intent - behavior that is technically valid code but semantically suspicious, such as a tool whose description does not match what its code actually does. You point SkillSpector at any OpenAI-compatible endpoint and it adds a semantic layer on top of the static findings. If you want speed, skip it with `--no-llm`.

Installation

SkillSpector expects an activated virtual environment. The Makefile uses `uv` if it is available, otherwise it falls back to `pip`.

# Clone the repository
git clone https://github.com/NVIDIA/skillspector.git
cd skillspector

# Create and activate a virtual environment
uv venv .venv && source .venv/bin/activate
# or: python3 -m venv .venv && source .venv/bin/activate

# Install for production use
make install

# Or install with development dependencies
make install-dev

Run It With Docker (No Python Required)

If you would rather not install Python, build the included Dockerfile and mount the directory you want to scan into `/scan`:

# Build the image
make docker-build
# or: docker build -t skillspector .

# Scan a local directory (static only)
docker run --rm -v "$PWD:/scan" skillspector scan ./my-skill/ --no-llm

To enable the LLM pass inside Docker, pass credentials with an env file or shell variables:

docker run --rm \
  -v "$PWD:/scan" \
  -e SKILLSPECTOR_PROVIDER=anthropic \
  -e ANTHROPIC_API_KEY="$ANTHROPIC_API_KEY" \
  skillspector scan ./my-skill/

Basic Usage

The core command is `scan`, and it accepts whatever form the skill comes in:

# Scan a local skill directory
skillspector scan ./my-skill/

# Scan a single SKILL.md file
skillspector scan ./SKILL.md

# Scan a Git repository
skillspector scan https://github.com/user/my-skill

# Scan a zip file
skillspector scan ./my-skill.zip

Output Formats

Pick the format that fits the consumer - a human in a terminal, a script, your docs, or your CI pipeline:

# Terminal output (default) - pretty formatted
skillspector scan ./my-skill/

# JSON - machine readable
skillspector scan ./my-skill/ --format json --output report.json

# Markdown - for documentation
skillspector scan ./my-skill/ --format markdown --output report.md

# SARIF - for CI/CD integration and IDE tooling
skillspector scan ./my-skill/ --format sarif --output report.sarif

The SARIF output is the one to reach for in CI. It is the standard format that GitHub code scanning and most IDE security tooling understand, so findings show up inline next to the code.

Configuring LLM Analysis

For the deepest results, point SkillSpector at an LLM. You select a provider with `SKILLSPECTOR_PROVIDER`, and each ships its own default model. It also works against local OpenAI-compatible servers like Ollama, vLLM, and llama.cpp.

# Anthropic
export SKILLSPECTOR_PROVIDER=anthropic
export ANTHROPIC_API_KEY=sk-ant-...
skillspector scan ./my-skill/

# Local Ollama or any OpenAI-compatible endpoint
export SKILLSPECTOR_PROVIDER=openai
export OPENAI_API_KEY=ollama
export OPENAI_BASE_URL=http://localhost:11434/v1
export SKILLSPECTOR_MODEL=llama3.1:8b
skillspector scan ./my-skill/

# Skip the LLM pass entirely (faster, static only)
skillspector scan ./my-skill/ --no-llm

The 16 Vulnerability Categories

The 64 patterns are grouped into 16 categories, each with its own IDs and severities. The breadth is the point - real attacks rarely fit one bucket.

• Prompt Injection (5) - instruction overrides, hidden instructions, exfiltration commands, behavior manipulation, and harmful content.
• Data Exfiltration (4) - external transmission, environment variable harvesting, file system enumeration, and conversation context leakage.
• Privilege Escalation (3) - excessive permissions, sudo/root execution, and credential access.
• Supply Chain (6) - unpinned dependencies, `curl | bash` style remote execution, obfuscated code, known-vulnerable dependencies via live OSV.dev lookup, abandoned packages, and typosquatting.
• Excessive Agency (4) - unrestricted tool access, autonomous decision making, scope creep, and unbounded resource access.
• Output Handling (3) - unvalidated output injection, cross-context output across trust boundaries, and unbounded output.
• System Prompt Leakage (3) - direct leakage, indirect extraction, and tool-based exfiltration of system prompts.
• Memory Poisoning (3) - persistent context injection, context window stuffing, and memory manipulation.
• Tool Misuse (3) - tool parameter abuse, chaining abuse, and unsafe defaults.
• Rogue Agent (2) - runtime self-modification and unauthorized session persistence.
• Trigger Abuse (3) - overly broad triggers, shadow command triggers, and keyword-baiting triggers.
• Behavioral AST (8) - direct `exec()`, `eval()`, dynamic imports, `subprocess` calls, `os.system` and exec-family shell calls, `compile()`, dynamic `getattr()`, and dangerous execution chains.
• Taint Tracking (5) - direct and variable-mediated taint flows, credential exfiltration chains, file-read to network exfiltration, and external-input to code-execution flows.
• YARA Signatures (4) - matches for known malware, webshells, cryptominers, and hack tools or exploit code.
• MCP Least Privilege (4) - underdeclared capabilities, wildcard permissions, missing permission declarations, and overdeclared permissions.
• MCP Tool Poisoning (4) - hidden instructions in metadata, Unicode deception, parameter description injection, and description-behavior mismatch.

The last two categories are worth calling out: as more agents adopt the Model Context Protocol (MCP), tool descriptions themselves become an attack surface. SkillSpector checks both that declared permissions match real code capability and that tool metadata is not hiding instructions or homoglyph tricks.

Risk Scoring You Can Act On

Findings are only useful if they roll up into a decision. SkillSpector weights each finding by severity and applies a multiplier for executable scripts.

Score calculation:

• CRITICAL issues: +50 points
• HIGH issues: +25 points
• MEDIUM issues: +10 points
• LOW issues: +5 points
• Executable scripts: 1.3x multiplier

Severity levels and recommendations:

That final column is the whole value proposition. Instead of a wall of findings, you get a verdict: SAFE, CAUTION, or DO NOT INSTALL.

Where SkillSpector Fits in a Real Workflow

Two patterns make sense for most teams:

• Pre-install gate (local). Before adding any third-party skill, run a quick static scan: `skillspector scan --no-llm`. If it comes back CAUTION or worse, you look closer before it ever touches your agent.
• CI policy (automated). In a pipeline, scan in SARIF format and fail the build on HIGH or CRITICAL findings. Because the supply chain checks query OSV.dev live, you also catch newly disclosed CVEs in a skill's dependencies without changing anything.

For teams running agentic coding at scale, this turns skill adoption from a trust-by-default habit into a measured, auditable decision - which is exactly the discipline that keeps autonomous agents dependable.

The Bottom Line

Agent skills are powerful precisely because they run with the agent's trust and tools. That same property is what makes an unvetted skill dangerous. SkillSpector gives you a fast, scriptable, open source way to inspect a skill before you trust it - 64 patterns across 16 categories, layered static and LLM analysis, live CVE lookups, and a single clear recommendation at the end.

If your team is leaning into AI coding agents, vetting the skills they consume should be a default step, not an afterthought. SkillSpector makes that step cheap enough that there is no excuse to skip it.

> Rolling out AI agents in production? Talk to TunerLabs - we design and deploy secure agentic systems for businesses worldwide, with the scoping, vetting, and review structure that keeps strong models safe to run.