# SkillSpector

By **nvidia** · Software & Tools

NVIDIA's open-source security scanner for AI agent skills, detects prompt injection, supply chain attacks, and 66 other vulnerability patterns before you install.

- Source: https://github.com/NVIDIA/SkillSpector
- Repository: https://github.com/NVIDIA/SkillSpector
- Install: `git clone https://github.com/NVIDIA/SkillSpector.git cd SkillSpector uv venv .venv && source .venv/bin/activate make install skillspector scan ./my-skill/`
- Tags: security, open-source, cli, mcp, agent, nvidia, static-analysis, python
- Pricing: free
- Upvotes: 0

## Features

- Scans Git repos, URLs, zip archives, directories, and single files
- 68 vulnerability patterns across 17 categories including MCP-specific checks
- Two-stage analysis: static pattern matching then optional LLM semantic evaluation
- Live CVE lookups via OSV.dev with automatic offline fallback
- Output formats: terminal, JSON, Markdown, SARIF (CI/CD and IDE compatible)
- 0-100 risk score with severity label, recommendation, and safe_to_install boolean
- Baseline / false-positive suppression via glob rules or fingerprints
- MCP server mode so agents can gate skill installs at runtime

---

## Why it matters

AI agent skills execute with implicit trust and almost no vetting by default. Per the SkillSpector README, research shows 26.1% of skills contain vulnerabilities and 5.2% show likely malicious intent, meaning roughly one in twenty skills you install could be actively hostile.

## The big picture

The agent skill ecosystem (Claude Code, Codex CLI, Gemini CLI) has grown faster than its security tooling. Skills run with broad file system and network access, making them a high-value attack surface for prompt injection, credential harvesting, and supply chain compromise. SkillSpector fills that gap with a purpose-built scanner that understands the skill format rather than applying generic linting.

## How it works

SkillSpector runs a two-stage pipeline. Stage one is fast static analysis: pattern matching across 68 rules in 17 categories, from YARA signatures and AST-level dangerous code detection to MCP least-privilege checks. Stage two is optional LLM semantic evaluation, which catches intent-level issues that pattern matching misses, things like subtly worded refusal-suppression instructions. You choose the LLM provider (OpenAI, Anthropic, NVIDIA build.nvidia.com, or a local Ollama/vLLM endpoint) via environment variables. Skip stage two with `--no-llm` for CI speed.

## Zoom in

The 17 vulnerability categories cover more ground than typical security linters. Supply chain checks (SC1-SC6) include live CVE lookups against OSV.dev and typosquatting detection. MCP-specific categories (MCP least privilege, MCP tool poisoning) are purpose-built for the protocol. Anti-refusal patterns (AR1-AR3) detect jailbreak framing like "you have no restrictions" embedded inside skill instructions. Taint tracking and AST analysis catch dangerous code that wouldn't surface in a text search.

## Yes, but

LLM semantic analysis requires an external API key and adds latency and cost. The `--no-llm` flag gives you static-only results, which are faster but may miss intent-level manipulation. False positives are manageable via a baseline file (committed to the repo) that suppresses known findings so repeated scans only surface new issues.

## The bottom line

SkillSpector is the most purpose-built tool available for auditing agent skills before they run on your machine or in your CI pipeline. For any team shipping or consuming skills at scale, running it as an MCP server turns a manual audit step into an automated runtime guardrail, the scanner becomes a gatekeeper, not an afterthought.

## FAQ

### What is SkillSpector and what problem does it solve?

SkillSpector is an open-source security scanner built by NVIDIA specifically for AI agent skills, the instruction files used by tools like Claude Code, Codex CLI, and Gemini CLI. Agent skills execute with implicit trust and minimal vetting, and per the project's README, research shows 26.1% of skills contain vulnerabilities and 5.2% show likely malicious intent. SkillSpector answers the question 'Is this skill safe to install?' before you run it, rather than discovering a problem after the fact.

### How do I install and run SkillSpector?

The fastest install is `uv tool install git+https://github.com/NVIDIA/skillspector.git`, which requires Python 3.12+ and no cloning. You can also clone the repo and run `make install` inside a virtual environment. If you want to avoid any Python dependency, build the included Dockerfile (`make docker-build`) and scan by mounting your directory: `docker run --rm -v "$PWD:/scan" skillspector scan ./my-skill/ --no-llm`. To add LLM semantic analysis, set `SKILLSPECTOR_PROVIDER` and the matching API key environment variable before running.

### Is SkillSpector free and open source?

Yes, SkillSpector is released under the Apache 2.0 license, which permits free use, modification, and redistribution. The tool itself costs nothing. However, enabling LLM semantic evaluation requires an API key from whichever provider you choose (OpenAI, Anthropic, NVIDIA build.nvidia.com), and those providers charge for API usage. Running a local model via Ollama or vLLM avoids any API cost.

### What is SkillSpector best for?

SkillSpector is best for teams that install third-party agent skills from public registries or GitHub and need a structured, reproducible security review before deployment. It is also well-suited to CI/CD pipelines, the SARIF output format plugs directly into GitHub Advanced Security and most IDE tooling. For teams already using Claude Code or Codex CLI, registering SkillSpector as an MCP server turns it into a runtime guardrail that gates every skill install automatically.

### How does SkillSpector compare to generic security linters?

Generic linters check for code-level vulnerabilities in standard software but have no concept of agent-specific attack surfaces like prompt injection, MCP tool poisoning, memory poisoning, or anti-refusal jailbreak framing. SkillSpector's 68 patterns across 17 categories are purpose-built for the skill format, including MCP-specific categories that no general-purpose linter covers. The optional LLM semantic stage further catches intent-level manipulation that pattern matching cannot detect, making it qualitatively different from tools like Semgrep or Bandit applied naively to skill files.

### What are the main limitations or risks of using SkillSpector?

Static analysis alone (--no-llm) may miss intent-level manipulation, so the LLM semantic stage is recommended for high-stakes installs. That stage sends skill content to an external API, which may be a concern for confidential skill code, use a local Ollama or vLLM endpoint to keep data on-premises. False positives are possible; the baseline suppression system lets you accept known findings so re-scans only surface new issues, but it requires an initial triage step. Finally, SkillSpector is an open-source project with no managed hosting or SLA, so production use depends on your own infrastructure.

---
[View on Analog](https://analoghq.ai/nvidia/software-tools/skillspector)