NVIDIA Releases SkillSpector — Open-Source Scanner for AI Agent Skills

AI relevance: AI agent skills execute with implicit trust and minimal vetting — SkillSpector addresses the supply-chain gap where 26.1% of skills contain vulnerabilities and 5.2% show likely malicious intent.

Key Details

  • NVIDIA open-sourced SkillSpector, a security scanner designed to detect vulnerabilities, malicious patterns, and supply-chain risks in AI agent skills before installation
  • Targets skills used by Claude Code, Codex CLI, Gemini CLI, and other agentic coding tools that execute with elevated privileges
  • Covers 68 vulnerability patterns across 17 categories: prompt injection, data exfiltration, privilege escalation, supply chain, excessive agency, output handling, system prompt leakage, memory poisoning, tool misuse, rogue agent, anti-refusal, trigger abuse, dangerous code (AST), taint tracking, YARA signatures, MCP least privilege, and MCP tool poisoning
  • Two-stage analysis: fast static analysis plus optional LLM semantic evaluation for deeper inspection
  • Live vulnerability lookups via OSV.dev for real-time CVE data with automatic offline fallback
  • Supports multiple input formats: Git repos, URLs, zip files, directories, or single SKILL.md files
  • Multiple output formats: terminal, JSON, Markdown, and SARIF reports for CI/CD integration
  • Risk scoring: 0-100 score with severity labels and clear recommendations
  • Baseline suppression feature allows accepting known findings so re-scans surface only new issues
  • Works with OpenAI, Anthropic, AWS Bedrock, NVIDIA inference, and local OpenAI-compatible servers (Ollama, vLLM, llama.cpp)
  • Can run as a Docker container or via uv tool install for quick CLI deployment
  • Includes a Pi extension for scanning skills from inside agent sessions
  • Research shows 26.1% of skills contain vulnerabilities and 5.2% show likely malicious intent — SkillSpector turns manual security review into a one-command gate

Why It Matters

AI agent skills are the new npm packages — third-party code that executes with implicit trust inside privileged agent environments. Until now, the advice was "install only skills you trust," which fails when popular packages can be the infected ones. SkillSpector provides the first open-source, automated gate for the agent skill supply chain, addressing a critical gap as agentic coding tools scale adoption.

What to Do

  • Integrate SkillSpector into CI/CD pipelines for all agent skill repositories
  • Run static scans (--no-llm) on every PR before merging skill changes
  • Use baseline suppression to track only new findings after initial audit
  • Enable LLM semantic analysis for high-risk skills before production deployment
  • Deploy SkillSpector as a Pi tool for runtime scanning inside agent sessions
  • Monitor SARIF reports in IDE tooling for developer-facing feedback loops

Sources