NVIDIA's open-source security scanner for AI agent skills, detects prompt injection, supply chain attacks, and 66 other vulnerability patterns before you install.
What it does
SkillSpector is an open-source security scanner by NVIDIA that audits AI agent skills before installation. It detects 68 vulnerability patterns across 17 categories using fast static analysis plus optional LLM semantic evaluation, then returns a 0-100 risk score with severity labels and a safe-to-in
AI agent skills execute with implicit trust and almost no vetting by default. Per the SkillSpector README, research shows 26.1% of skills contain vulnerabilities and 5.2% show likely malicious intent, meaning roughly one in twenty skills you install could be actively hostile.
The agent skill ecosystem (Claude Code, Codex CLI, Gemini CLI) has grown faster than its security tooling. Skills run with broad file system and network access, making them a high-value attack surface for prompt injection, credential harvesting, and supply chain compromise. SkillSpector fills that gap with a purpose-built scanner that understands the skill format rather than applying generic linting.
SkillSpector runs a two-stage pipeline. Stage one is fast static analysis: pattern matching across 68 rules in 17 categories, from YARA signatures and AST-level dangerous code detection to MCP least-privilege checks. Stage two is optional LLM semantic evaluation, which catches intent-level issues that pattern matching misses, things like subtly worded refusal-suppression instructions. You choose the LLM provider (OpenAI, Anthropic, NVIDIA build.nvidia.com, or a local Ollama/vLLM endpoint) via environment variables. Skip stage two with --no-llm for CI speed.
The 17 vulnerability categories cover more ground than typical security linters. Supply chain checks (SC1-SC6) include live CVE lookups against OSV.dev and typosquatting detection. MCP-specific categories (MCP least privilege, MCP tool poisoning) are purpose-built for the protocol. Anti-refusal patterns (AR1-AR3) detect jailbreak framing like "you have no restrictions" embedded inside skill instructions. Taint tracking and AST analysis catch dangerous code that wouldn't surface in a text search.
LLM semantic analysis requires an external API key and adds latency and cost. The --no-llm flag gives you static-only results, which are faster but may miss intent-level manipulation. False positives are manageable via a baseline file (committed to the repo) that suppresses known findings so repeated scans only surface new issues.
SkillSpector is the most purpose-built tool available for auditing agent skills before they run on your machine or in your CI pipeline. For any team shipping or consuming skills at scale, running it as an MCP server turns a manual audit step into an automated runtime guardrail, the scanner becomes a gatekeeper, not an afterthought.
Features
Field notes
Reviewed Jun 26, 2026
Best for
Builder outcomes
Watch out
Tested with
SkillSpector is an open-source security scanner built by NVIDIA specifically for AI agent skills, the instruction files used by tools like Claude Code, Codex CLI, and Gemini CLI. Agent skills execute with implicit trust and minimal vetting, and per the project's README, research shows 26.1% of skills contain vulnerabilities and 5.2% show likely malicious intent. SkillSpector answers the question 'Is this skill safe to install?' before you run it, rather than discovering a problem after the fact.
The fastest install is `uv tool install git+https://github.com/NVIDIA/skillspector.git`, which requires Python 3.12+ and no cloning. You can also clone the repo and run `make install` inside a virtual environment. If you want to avoid any Python dependency, build the included Dockerfile (`make docker-build`) and scan by mounting your directory: `docker run --rm -v "$PWD:/scan" skillspector scan ./my-skill/ --no-llm`. To add LLM semantic analysis, set `SKILLSPECTOR_PROVIDER` and the matching API key environment variable before running.
Yes, SkillSpector is released under the Apache 2.0 license, which permits free use, modification, and redistribution. The tool itself costs nothing. However, enabling LLM semantic evaluation requires an API key from whichever provider you choose (OpenAI, Anthropic, NVIDIA build.nvidia.com), and those providers charge for API usage. Running a local model via Ollama or vLLM avoids any API cost.
SkillSpector is best for teams that install third-party agent skills from public registries or GitHub and need a structured, reproducible security review before deployment. It is also well-suited to CI/CD pipelines, the SARIF output format plugs directly into GitHub Advanced Security and most IDE tooling. For teams already using Claude Code or Codex CLI, registering SkillSpector as an MCP server turns it into a runtime guardrail that gates every skill install automatically.
Generic linters check for code-level vulnerabilities in standard software but have no concept of agent-specific attack surfaces like prompt injection, MCP tool poisoning, memory poisoning, or anti-refusal jailbreak framing. SkillSpector's 68 patterns across 17 categories are purpose-built for the skill format, including MCP-specific categories that no general-purpose linter covers. The optional LLM semantic stage further catches intent-level manipulation that pattern matching cannot detect, making it qualitatively different from tools like Semgrep or Bandit applied naively to skill files.
Static analysis alone (--no-llm) may miss intent-level manipulation, so the LLM semantic stage is recommended for high-stakes installs. That stage sends skill content to an external API, which may be a concern for confidential skill code, use a local Ollama or vLLM endpoint to keep data on-premises. False positives are possible; the baseline suppression system lets you accept known findings so re-scans only surface new issues, but it requires an initial triage step. Finally, SkillSpector is an open-source project with no managed hosting or SLA, so production use depends on your own infrastructure.
Anatomia, CLI harness that gives AI coding agents a verifiable pipeline and proof chain, not just prompts. MIT-licensed, works with Claude Code, Codex, and more.
Free repo scanner that checks GitHub and Bitbucket projects for malware, credential stealers, and crypto scams before you run their code.
Best for Developers vetting unfamiliar GitHub or Bitbucket repos before cloning or running them locallyOpen-source autonomous AI pentester for web apps and APIs, analyzes your source code and runs real exploits, for developers and security engineers.
Best for Teams shipping code daily who need on-demand, proof-driven pentesting between annual engagementsOpen-source toolkit for Spec-Driven Development with AI coding agents, structured specs, plans, and tasks instead of vibe coding.
Best for Teams using AI coding agents on projects where correctness and reliability matter more than speed of first outputjscpd is an open-source copy/paste detector for 223+ languages, with a Rust-powered v5 engine that is 24-37x faster and AI-ready out of the box.
Best for Teams wanting fast, language-agnostic duplicate code detection across large monorepos or mixed-format codebasesFree, open-source shadcn-style registry of production-ready AI agent recipes for developers who want full code ownership with zero config.
Best for Teams that want full code ownership over agent logic without being locked into an opaque runtime dependency