SkillSpector: AI Agent Skill Security Scanner
SkillSpector is an AI agent skill security scanner from NVIDIA that inspects a skill — a Git repo, URL, zip, directory, or single SKILL.md file — for vulnerabilities, malicious patterns, and risky code before you install it. It runs 68 detection patterns across 17 categories (prompt injection, data exfiltration, privilege escalation, supply-chain risks, dangerous Python calls, and more), then returns a 0–100 risk score with a clear install / don't-install recommendation.
Reach for SkillSpector if you install agent skills from sources you don't fully trust and want a fast, scriptable check before they run — it flags prompt injection, credential exfiltration, and curl-pipe-bash supply-chain tricks that a quick eyeball read misses. Skip it, or treat it as one signal among several, if you only run first-party skills you wrote yourself, since a pattern scanner will surface false positives you have to triage with the baseline feature. It's static analysis plus an optional LLM pass, not a sandbox — it reasons about code without executing it.
The problem it solves
Agent skills for tools like Claude Code, Codex CLI, and Gemini CLI run with implicit trust: you drop a SKILL.md and its supporting scripts into your setup and the agent executes them, often with your shell, your env vars, and your credentials within reach. The README cites research finding that 26.1% of skills contain vulnerabilities and 5.2% show likely malicious intent. Reading every skill by hand before install doesn't scale, and a hidden instruction or a base64-encoded payload is easy to miss.
What is it?
SkillSpector is an open-source (Apache-2.0) AI agent skill security scanner written in Python and built by NVIDIA. You point it at a skill — a local directory, single file, Git URL, or zip — and it runs a two-stage analysis: a fast static pass (regex patterns, Python AST inspection, taint tracking, YARA signatures) plus an optional LLM semantic pass for judgment calls. It reports findings with severity labels and a 0–100 risk score, and can output plain terminal text, JSON, Markdown, or SARIF for CI and IDE tooling.
Why it's getting attention
Agent skills went mainstream fast across Claude Code, Codex CLI, and Gemini CLI, and the supply-chain question — is this skill safe to install — arrived with them. SkillSpector comes from NVIDIA, ships 68 patterns spanning classic security bugs and LLM-specific risks like prompt injection and memory poisoning, and can run as an MCP server so an agent gates its own skill installs on the scan result. The repo lists roughly 12.9k stars.
Key features
- ✓68 detection patterns across 17 categories, covering classic bugs (exec/eval, subprocess, obfuscated code) and LLM-specific risks (prompt injection, anti-refusal, memory poisoning, MCP tool poisoning)
- ✓Two-stage analysis: a fast static pass (regex, Python AST, taint tracking, YARA rules) plus an optional LLM semantic evaluation you turn off with --no-llm
- ✓Multi-format input: scan a local directory, a single SKILL.md, a Git repo URL, or a zip file
- ✓0–100 risk score with severity labels and a direct install / don't-install recommendation
- ✓Output as terminal text, JSON, Markdown, or SARIF for CI/CD and IDE integration
- ✓Live CVE lookups: the SC4 check queries OSV.dev for known-vulnerable dependencies, with an automatic offline fallback
- ✓Baseline suppression: accept known findings so re-scans surface only new issues
Best use cases
- •Vetting a third-party agent skill before you install it into Claude Code or another agent
- •Gating skill and MCP installs automatically by running SkillSpector as an MCP server that returns safe_to_install
- •Adding a security check to CI with SARIF output so findings show up in your code-scanning UI
- •Batch-scanning a whole directory of skills in parallel to triage a collection
How to install / try
Requires Python 3.12+. The quickest path is uv: `uv tool install git+https://github.com/NVIDIA/skillspector.git` for the CLI, or `uv tool install 'skillspector[mcp] @ git+https://github.com/NVIDIA/skillspector.git'` if you want the MCP server. You can also clone the repo and run `make install` (or `make install-dev`) inside a virtualenv, or build the included Dockerfile with `make docker-build` to run it with no local Python. The README documents each path.
How to use
Basic scan: `skillspector scan ./my-skill/` — it also accepts a single `SKILL.md`, a Git URL, or a `.zip`. Add `--no-llm` for a faster static-only scan, or `--format json --output report.json` (also markdown/sarif) to write a report. For an LLM pass, set `SKILLSPECTOR_PROVIDER` and the matching key (OpenAI, Anthropic, Bedrock, NVIDIA build.nvidia.com, or a local Ollama/vLLM endpoint). Suppress accepted findings with `skillspector baseline ./my-skill/ -o .skillspector-baseline.yaml`, then scan with `--baseline`. To run it as an MCP tool: `skillspector mcp`, then register it via `claude mcp add skillspector -- skillspector mcp`.
Strengths
- ✓Covers LLM-specific attack classes — prompt injection, anti-refusal, memory poisoning, MCP tool poisoning — that generic SAST tools don't look for
- ✓Runs offline as static-only with --no-llm; the LLM pass is optional and you choose the provider, including local models
- ✓SARIF and JSON output drop straight into CI and IDE code-scanning without glue code
- ✓Can act as a runtime guardrail via its MCP server, so an agent checks a skill before installing it
- ✓Baseline suppression keeps re-scans focused on new findings instead of re-flagging accepted ones
Limitations & risks
- △It's pattern-and-AST static analysis, not a sandbox — it reads code without running it, so obfuscation or logic it can't model slips through, and it will raise false positives you triage with the baseline feature
- △Meaningful semantic judgment relies on the optional LLM pass, which means an API key and per-scan cost (or a local model you host); static-only mode is shallower
- △The MCP server's HTTP transport ships with no authentication — the README says any caller that can reach the port can invoke it, so it's only safe over stdio/localhost or behind an authenticating proxy
- △The README notes the stdio MCP transport still has an initialization hang (issue #199), and the batch scanner's default DeepSeek backend is expected to sunset
- △Requires Python 3.12+, newer than some environments ship by default
Alternatives
Who should try it — and who should skip
Anyone installing agent skills or MCP servers they didn't write — platform teams, security engineers, and developers pulling skills from GitHub or a marketplace into Claude Code, Codex CLI, or Gemini CLI. It fits best where you can wire the scan into CI or an MCP install gate. If you only run a handful of first-party skills you authored, the payoff is smaller and you'll spend time triaging false positives.
Frequently asked questions
SkillSpector is an open-source AI agent skill security scanner from NVIDIA. It inspects an agent skill — a directory, file, Git repo, or zip — for vulnerabilities, prompt injection, and malicious patterns, then returns a 0–100 risk score and an install recommendation.
It runs a two-stage analysis: a fast static pass using regex patterns, Python AST inspection, taint tracking, and YARA signatures, plus an optional LLM semantic evaluation. Together they check 68 patterns across 17 categories, from exec/eval calls to prompt injection and MCP tool poisoning.
Not for static scanning — run it with `--no-llm` and it works offline. The optional LLM pass needs a provider and key (OpenAI, Anthropic, Bedrock, NVIDIA, or a local Ollama/vLLM endpoint), which adds semantic judgment at some cost.
Yes. `skillspector mcp` starts an MCP server exposing a scan_skill tool, so an MCP-capable agent like Claude Code can gate a skill or MCP install on the scan result. Register it with `claude mcp add skillspector -- skillspector mcp`.