SkillSpector

SkillSpector is an open-source CLI tool published by NVIDIA that scans AI agent skills for security vulnerabilities before they are installed. It targets skills used by agents like Claude Code, Codex CLI, and Gemini CLI, which execute with implicit trust and minimal vetting. The project is licensed under Apache 2.0 and hosted on GitHub, where it has accumulated over 500 stars since its March 2026 release.

What It Is

SkillSpector is a security scanner purpose-built for AI agent skill packages. It addresses a gap identified in research: the repository README cites a study ("Agent Skills in the Wild," Liu et al., 2026) that analyzed 42,447 skills from major marketplaces and found that 26.1% contain at least one vulnerability and 5.2% show likely malicious intent. SkillSpector gives developers and security teams a way to audit skills before deployment, producing a 0–100 risk score with severity labels (LOW, MEDIUM, HIGH, CRITICAL) and actionable recommendations.

Detection Coverage

The scanner covers 64 vulnerability patterns across 16 categories, including:

• Prompt injection (5 patterns): instruction overrides, hidden directives, exfiltration commands, behavior manipulation, harmful content
• Data exfiltration (4 patterns): external transmission, environment variable harvesting, file system enumeration, context leakage
• Supply chain (6 patterns): unpinned dependencies, external script fetching, obfuscated code, known CVEs via live OSV.dev lookup, abandoned packages, typosquatting
• Behavioral AST (8 patterns): dangerous Python calls such as exec(), eval(), subprocess, os.system, and dynamic imports
• Taint tracking (5 patterns): data flow from sources to sinks, including credential exfiltration chains and external input to code execution
• YARA signatures (4 patterns): malware, webshell, cryptominer, and exploit tool matches
• MCP-specific patterns (8 patterns): least-privilege violations and tool poisoning via hidden instructions, Unicode deception, and parameter injection

Two-Stage Analysis Pipeline

SkillSpector uses a two-stage detection approach:

1. Static analysis — Fast regex-based pattern matching across 11 analyzers, AST-based behavioral detection, and live CVE lookups via the OSV.dev API (no API key required, with automatic offline fallback and in-memory caching).
2. LLM semantic evaluation (optional) — Evaluates context and intent, filters false positives, and generates human-readable explanations. The README states this stage improves precision to approximately 87%. The LLM prompt includes anti-jailbreak protections to prevent malicious skills from manipulating the analysis itself.

Supported LLM providers include OpenAI, Anthropic, and NVIDIA's build.nvidia.com inference gateway, as well as any OpenAI-compatible local server such as Ollama, vLLM, or llama.cpp.

Input Formats and Output Options

SkillSpector accepts Git repositories (by URL), local directories, zip archives, and single files. Output can be rendered as:

• Terminal — human-readable formatted report
• JSON — machine-readable for programmatic consumption
• Markdown — for documentation workflows
• SARIF — for CI/CD pipeline integration and IDE tooling

This SARIF support makes it straightforward to embed SkillSpector into existing DevSecOps pipelines alongside other static analysis tools.

Python API and Extensibility

Beyond the CLI, SkillSpector exposes a Python API built on LangGraph, allowing the scanner to be invoked programmatically within agent workflows or custom tooling. The development guide documents the architecture, package layout, and how to extend the analyzer pipeline with new patterns. The project uses uv or pip for dependency management and ships a Makefile with targets for installation, testing, linting, and formatting.

Update: Initial Open-Source Release (v0.1.0)

The repository was created on March 21, 2026, and last pushed on May 18, 2026, with the most recent metadata update on May 31, 2026. The example terminal output in the README shows version v0.1.0. With 501 stars and 33 forks shortly after release, the project has attracted early community interest. The README references an OSS_RELEASE.md document describing how to produce a public OSS branch, suggesting an internal-to-public release workflow.