--- name: skillspector description: Use when vetting an AI agent skill before installing it, to scan the SKILL.md and its code for prompt injection, data exfiltration, and other malicious or vulnerable patterns. source: https://github.com/NVIDIA/SkillSpector generated: 2026-06-18T02:46:55.732Z category: security audience: ai --- ## When to use - Before installing a third-party skill, MCP server, or agent workflow from an untrusted source - Auditing a directory, git repo, or zip of skills for supply-chain and prompt-injection risk - Adding a security gate to CI that fails the build when a skill scores above a risk threshold - Investigating a suspicious skill that requests unexpected tools, network access, or filesystem reach ## Key concepts ### Two-stage detection pipeline Static analysis runs first (regex + AST) for speed and recall; an optional LLM pass adds semantic context and intent, lifting precision to roughly 87%. Use --no-llm to skip the semantic stage and run static-only. ### 64 patterns across 16 categories Detectors cover prompt injection, data exfiltration, privilege escalation, supply-chain attacks, excessive agency, system-prompt leakage, memory poisoning, tool misuse, and MCP-specific risks, plus AST behavioral analysis, taint tracking, and YARA signatures. ### Risk score (0-100) Each scan yields a 0-100 risk score with a severity recommendation, so you can set a numeric gate. NVIDIA reports 26.1% of skills contain vulnerabilities and 5.2% show likely malicious intent. ### Live CVE lookups Dependencies are checked against the OSV.dev API at scan time, so known-vulnerable packages pulled in by a skill are flagged with their CVEs rather than relying on a stale local database. ### Multiple inputs and output formats Accepts local directories, git repositories, zip files, or individual files. Emits terminal, JSON, Markdown, or SARIF — SARIF drops straight into GitHub code scanning and other security dashboards. ### LangGraph workflow The scan is orchestrated as a LangGraph graph. Beyond the CLI, you can invoke it programmatically with graph.invoke({...}) and choose the LLM provider (OpenAI, Anthropic, or build.nvidia.com) via environment variables. ## API reference ``` git clone + make install ``` Install SkillSpector into a Python 3.12+ virtual environment. ``` git clone https://github.com/NVIDIA/skillspector.git cd skillspector make install ``` ``` skillspector scan [PATH] [OPTIONS] ``` Scan a skill directory, repo, zip, or file and print a risk report to the terminal. ``` skillspector scan ./my-skill/ ``` ``` skillspector scan --no-llm ``` Run static-only analysis, skipping the optional LLM semantic stage (faster, no API key). ``` skillspector scan ./my-skill/ --no-llm ``` ``` make docker-build + docker run ``` Build and run the scanner via Docker with no local Python install. ``` make docker-build docker run --rm -v "$PWD:/scan" skillspector scan ./my-skill/ ``` ``` graph.invoke({ input_path, use_llm }) ``` Run a scan programmatically from Python via the LangGraph interface. ``` from skillspector import graph result = graph.invoke({"input_path": "/path/to/skill", "use_llm": True}) ``` ## Gotchas - Requires Python 3.12+; if you can't install it locally, use the Docker path (make docker-build) instead - Static-only mode (--no-llm) is the default safe baseline; the LLM stage needs a configured provider key (OpenAI, Anthropic, or build.nvidia.com) - A clean static scan is not a guarantee — likely-malicious intent often only surfaces once the LLM semantic stage runs - CVE lookups call the OSV.dev API at scan time, so dependency findings need network access - Use SARIF output to wire results into GitHub code scanning rather than parsing terminal text --- Generated by SkillMake from https://github.com/NVIDIA/SkillSpector on 2026-06-18T02:46:55.732Z. Verify against source before relying on details.