How NVIDIA’s Open‑Source SkillSpector Secures AI Agent Skills Before Installation

Introduction

NVIDIA has open‑sourced SkillSpector , a security scanner for AI Agent skills. Before a skill is installed into environments such as Claude Code, Codex CLI or Gemini CLI, SkillSpector can detect malicious instructions, privilege‑escalation behavior, data‑exfiltration, supply‑chain risks, or dangerous code.

Core Capabilities

SkillSpector’s functionality is described by five keywords: multi‑input, broad coverage, two‑stage, integrable, explainable .

1. Multi‑format Input Scanning

It can scan not only local directories but also Git repositories, URLs, zip files and individual SKILL.md files, enabling both pre‑install remote scans and integration into internal skill‑publishing pipelines.

2. 64 Detection Modes Covering 16 Security Categories

The built‑in rules span categories such as Prompt Injection, Data Exfiltration, Privilege Escalation, Supply‑Chain risk, Excessive Agency, Output Handling, System Prompt Leakage, Memory Poisoning, Tool Misuse, Rogue Agent, Trigger Abuse, Dangerous Code AST, Taint Tracking, YARA Signatures, MCP Least Privilege and MCP Tool Poisoning.

3. Two‑Stage Analysis: Static Scan + Optional LLM Semantic Analysis

Static analysis quickly finds suspicious patterns using regular‑expression matching, AST dangerous‑call detection, dependency‑vulnerability lookup, file‑level scanning and suspicious‑script identification. Typical detections include exec(), eval(), subprocess, os.system, external script fetches, environment‑variable collection, and unpinned dependencies.

LLM semantic analysis interprets context and intent to reduce false positives. For example, a requests.post call may be a benign report upload or an exfiltration of environment variables; the LLM decides based on surrounding code.

4. Real‑time Dependency Vulnerability Lookup

SkillSpector’s SC4 rule queries OSV.dev for known CVEs without requiring an API key, supports batch queries, offline fallback, and caches results for one hour, allowing it to assess both the skill itself and its dependency chain.

5. Multiple Report Formats for Automation

Supported output formats include:

Terminal (human‑readable)

JSON (machine‑readable for further processing)

Markdown (documentation archiving)

SARIF (CI/CD, code‑scanning platforms, IDE integration)

These formats enable seamless integration into automated pipelines.

Installation

SkillSpector requires Python 3.12+. The recommended steps are:

# Clone repository
git clone https://github.com/NVIDIA/skillspector.git
cd skillspector
# Create virtual environment (uv or venv)
uv venv .venv && source .venv/bin/activate
# or python3 -m venv .venv && source .venv/bin/activate
# Install
make install   # production
# or
make install-dev   # development

A Docker image is also available (e.g.,

registry.cn-beijing.aliyuncs.com/opencontainers/skillspector:latest

) and can be run with a volume mount to scan a skill directory.

Quick Usage Examples

Scan a local skill directory: skillspector scan ./my-skill/ Scan a single SKILL.md file: skillspector scan ./SKILL.md Scan a remote Git repo: skillspector scan https://github.com/user/my-skill Scan a zip package: skillspector scan ./my-skill.zip Generate JSON report:

skillspector scan ./my-skill/ --format json --output report.json

Generate SARIF report for CI/CD:

skillspector scan ./my-skill/ --format sarif --output report.sarif

Skip LLM analysis for speed or privacy:

skillspector scan ./my-skill/ --no-llm

Risk Scoring Mechanism

SkillSpector computes a 0‑100 risk score with weighted categories:

CRITICAL: +50

HIGH: +25

MEDIUM: +10

LOW: +5

Executable scripts receive a 1.3× multiplier.

Score ranges map to recommendations:

0‑20: LOW / SAFE

21‑50: MEDIUM / CAUTION

51‑80: HIGH / DO NOT INSTALL

81‑100: CRITICAL / DO NOT INSTALL

This scoring can act as a gatekeeper: low risk passes, medium risk triggers manual review, high/critical risk blocks installation.

Technical Highlights

Rule Coverage for Agent‑Specific Risks

Beyond traditional SAST, SkillSpector checks hidden commands in skill descriptions, parameter injection in tool metadata, prompt leakage, memory poisoning, mismatched MCP permissions, and over‑aggressive autonomous agent behavior.

AST Detection of Dangerous Calls

It flags Python constructs such as exec(), eval(), compile(), subprocess, os.system, dynamic imports and attribute accesses—crucial for skills that contain executable scripts.

Taint Tracking for Real‑World Attack Chains

By linking data flows (e.g., reading a secret → constructing a request → sending to an external server), SkillSpector surfaces high‑impact chains that would be missed by isolated checks.

Typical Application Scenarios

Security check before installing third‑party Agent skills.

Enterprise internal skill marketplace review, with automatic PR scans, SARIF reports, high‑risk rule blocking, and medium‑risk issues routed for manual review.

Platform‑level supply‑chain security for Agent ecosystems, using SkillSpector as a first‑line detector.

Reference Resources

GitHub repository: https://github.com/nvidia/skillspector
Development docs: https://raw.githubusercontent.com/NVIDIA/SkillSpector/main/docs/DEVELOPMENT.md
OSV.dev: https://osv.dev