skillspector

---
name: skillspector
description: Use when vetting an AI agent skill before installing it, to scan the SKILL.md and its code for prompt injection, data exfiltration, and other malicious or vulnerable patterns.
source: https://github.com/NVIDIA/SkillSpector
generated: 2026-06-18T02:46:55.732Z
category: security
audience: ai
---

## When to use

- Before installing a third-party skill, MCP server, or agent workflow from an untrusted source
- Auditing a directory, git repo, or zip of skills for supply-chain and prompt-injection risk
- Adding a security gate to CI that fails the build when a skill scores above a risk threshold
- Investigating a suspicious skill that requests unexpected tools, network access, or filesystem reach

## Key concepts

### Two-stage detection pipeline

Static analysis runs first (regex + AST) for speed and recall; an optional LLM pass adds semantic context and intent, lifting precision to roughly 87%. Use --no-llm to skip the semantic stage and run static-only.

### 64 patterns across 16 categories

Detectors cover prompt injection, data exfiltration, privilege escalation, supply-chain attacks, excessive agency, system-prompt leakage, memory poisoning, tool misuse, and MCP-specific risks, plus AST behavioral analysis, taint tracking, and YARA signatures.

### Risk score (0-100)

Each scan yields a 0-100 risk score with a severity recommendation, so you can set a numeric gate. NVIDIA reports 26.1% of skills contain vulnerabilities and 5.2% show likely malicious intent.

### Live CVE lookups

Dependencies are checked against the OSV.dev API at scan time, so known-vulnerable packages pulled in by a skill are flagged with their CVEs rather than relying on a stale local database.

### Multiple inputs and output formats

Accepts local directories, git repositories, zip files, or individual files. Emits terminal, JSON, Markdown, or SARIF — SARIF drops straight into GitHub code scanning and other security dashboards.

### LangGraph workflow

The scan is orchestrated as a LangGraph graph. Beyond the CLI, you can invoke it programmatically with graph.invoke({...}) and choose the LLM provider (OpenAI, Anthropic, or build.nvidia.com) via environment variables.

## API reference

```
git clone + make install
```

Install SkillSpector into a Python 3.12+ virtual environment.

```
git clone https://github.com/NVIDIA/skillspector.git
cd skillspector
make install
```

```
skillspector scan [PATH] [OPTIONS]
```

Scan a skill directory, repo, zip, or file and print a risk report to the terminal.

```
skillspector scan ./my-skill/
```

```
skillspector scan --no-llm
```

Run static-only analysis, skipping the optional LLM semantic stage (faster, no API key).

```
skillspector scan ./my-skill/ --no-llm
```

```
make docker-build + docker run
```

Build and run the scanner via Docker with no local Python install.

```
make docker-build
docker run --rm -v "$PWD:/scan" skillspector scan ./my-skill/
```

```
graph.invoke({ input_path, use_llm })
```

Run a scan programmatically from Python via the LangGraph interface.

```
from skillspector import graph
result = graph.invoke({"input_path": "/path/to/skill", "use_llm": True})
```

## Gotchas

- Requires Python 3.12+; if you can't install it locally, use the Docker path (make docker-build) instead
- Static-only mode (--no-llm) is the default safe baseline; the LLM stage needs a configured provider key (OpenAI, Anthropic, or build.nvidia.com)
- A clean static scan is not a guarantee — likely-malicious intent often only surfaces once the LLM semantic stage runs
- CVE lookups call the OSV.dev API at scan time, so dependency findings need network access
- Use SARIF output to wire results into GitHub code scanning rather than parsing terminal text

---
Generated by SkillMake from https://github.com/NVIDIA/SkillSpector on 2026-06-18T02:46:55.732Z.
Verify against source before relying on details.

File: ~/.claude/skills/skillspector/SKILL.md