A scanner for the new plugin surface

SkillSpector is a security scanner for AI agent skills. That sounds narrow until you look at how skills are actually used. A skill can carry instructions, scripts, metadata, MCP configuration, and social engineering text that an agent may trust at the moment it is most powerful: inside a developer workspace with file, shell, network, and credential context nearby.

The README frames the problem with two numbers from its own research context: 26.1 percent of skills contain vulnerabilities and 5.2 percent show likely malicious intent. Treat those as the authors’ stated motivation, not as a universal internet baseline. The useful point is simpler: skills are now a supply chain, and the old habit of reading a README before installing is not enough.

What it actually checks

SkillSpector combines static checks with optional LLM review. The static side covers 64 vulnerability patterns across 16 categories, including prompt injection, data exfiltration, privilege escalation, supply chain issues, memory poisoning, system prompt leakage, dangerous code, taint tracking, YARA signatures, MCP least privilege, and MCP tool poisoning. It can scan a Git repository, URL, zip, directory, or single SKILL.md.

The output choices matter for adoption. Terminal output is useful for local inspection. JSON and Markdown are useful for a review note. SARIF is the important one for teams, because it lets scan results appear in CI and security tooling rather than sitting in a paste buffer.

Install and run

The README expects Python 3.12 or newer and a virtual environment. It supports uv or pip, then installs through the repo’s Makefile:

git clone https://github.com/NVIDIA/skillspector.git
cd skillspector
uv venv .venv && source .venv/bin/activate
make install

Basic scans are direct:

skillspector scan ./my-skill/
skillspector scan ./SKILL.md
skillspector scan https://github.com/user/my-skill
skillspector scan ./my-skill.zip --format sarif --output report.sarif

LLM analysis is optional. Without it, SkillSpector is still a static scanner. With it, you configure an OpenAI-compatible endpoint, Anthropic, or NVIDIA’s inference endpoint through environment variables.

The judgment layer

This is not a magic safety stamp. Static rules are good at catching known shapes: credential scraping, broad tool permissions, remote script fetching, hidden instructions, and suspicious encodings. They are weaker when the danger is intent, dependency behavior, or a benign-looking instruction that becomes risky only inside a particular agent workflow.

That makes SkillSpector most useful as a gate before install, not as the only review. For public skills, run it before adding a marketplace. For internal skills, run it in CI so a later edit cannot quietly add network exfiltration or overbroad MCP access. For high-risk skills, read the report and the source together.

If you are building or installing agent skills, compare this with anthropics/skills, addyosmani/agent-skills, and mattpocock/skills. For a broader security-oriented skill set, see anthropics/defending-code-reference-harness.

FAQ

Does SkillSpector require an LLM? No. The scanner has static checks and can run without LLM analysis. LLM semantic review is optional.

Can it scan a GitHub repo directly? Yes. The README shows scanning a Git repository URL, a local directory, a zip file, or a single SKILL.md.

What output format should a team use? SARIF is the best fit for CI and code scanning. JSON is easier for custom tooling.

Does a clean report mean a skill is safe? No. It lowers obvious risk, but you still need to review what the skill asks the agent to do.