NVIDIA Just Open-Sourced A Security Scanner For AI Agent Skills – And It Might Save Your Infrastructure + Video

Introduction:

The AI agent ecosystem is expanding at breakneck speed, with tools like Claude Code, Codex CLI, and Gemini CLI becoming indispensable in modern development workflows. Yet beneath this convenience lies a chilling reality: these agent skills execute with implicit trust, often installed with little more than a cursory glance at a `SKILL.md` file. Research analyzing 42,447 skills across major marketplaces found that 26.1% contained at least one vulnerability, and 5.2% showed likely malicious intent. NVIDIA’s newly open-sourced SkillSpector directly addresses this blind spot, offering a two-stage security scanner that answers one critical question before you hit install: is this skill safe?

Learning Objectives:

Understand the security risks inherent in AI agent skills and why traditional vetting is insufficient
Learn to deploy and configure SkillSpector for static and LLM-powered semantic analysis
Master the interpretation of risk scores, vulnerability patterns, and actionable recommendations

1. Understanding the AI Agent Skill Threat Landscape

AI agent skills – the modular capabilities that extend tools like Claude Code, Codex CLI, and Gemini CLI – operate under a dangerous assumption: implicit trust. Unlike traditional software packages that undergo rigorous review, these skills are often installed based on minimal documentation. The research backing SkillSpector reveals staggering statistics: skills containing executable scripts were 2.12× more likely to be vulnerable. This isn’t a theoretical risk – it’s a systemic weakness in the AI supply chain.

The attack surface is broad. Malicious skills can exfiltrate environment variables containing API keys, execute arbitrary shell commands, manipulate agent memory, or even self-modify at runtime. Supply chain attacks like typosquatting and unpinned dependencies compound the problem, allowing attackers to poison dependencies with known CVEs. SkillSpector’s design reflects this complexity, detecting 64 vulnerability patterns across 16 categories – from prompt injection and data exfiltration to MCP-specific issues like least-privilege violations and tool poisoning.

Step‑by‑step: Understanding the Risk Categories

Prompt Injection (5 patterns): Instructions that override safety constraints, hide malicious directives in comments, or exfiltrate context.
Data Exfiltration (4 patterns): Sending environment variables, file contents, or conversation context to external servers.
Privilege Escalation (3 patterns): Executing sudo/root commands or accessing SSH keys and tokens.
Supply Chain (6 patterns): Unpinned dependencies, remote code execution via curl | bash, obfuscated code, typosquatting, and known vulnerable dependencies.
Excessive Agency (4 patterns): Unrestricted tool access, autonomous high-impact decisions, and unbounded resource consumption.
MCP Least Privilege (4 patterns): Capabilities not declared in permissions, wildcard permissions, and missing permission declarations.
MCP Tool Poisoning (4 patterns): Hidden directives in metadata, Unicode deception, and description-behavior mismatches.

2. Installation and Quick Start

SkillSpector is 100% open source under the Apache License 2.0 and supports multiple installation methods. The recommended approach uses a virtual environment with either `uv` or pip.

Step‑by‑step: Installation

1. Clone the repository:

git clone https://github.com/nvidia/skillspector.git
cd skillspector

2. Create and activate a virtual environment:

uv venv .venv && source .venv/bin/activate
 Or using standard venv:
python3 -m venv .venv && source .venv/bin/activate

3. Install for production use:

make install

For development with testing and linting dependencies:

make install-dev

4. Verify installation:

skillspector --help

Docker (No Python Required)

For environments where you prefer not to install Python locally, SkillSpector includes a Dockerfile based on Python 3.12-slim-bookworm:

 Build the image
make docker-build
 Or manually:
docker build -t skillspector .

Scan a local directory (mount current directory)
docker run --rm -v "$PWD:/scan" skillspector scan ./my-skill/ --1o-llm

Create an alias for repeated static scans
alias skillspector-docker='docker run --rm -v "$PWD:/scan" skillspector'
skillspector-docker scan ./my-skill/

3. Scanning Skills: Static Analysis

The first stage of SkillSpector’s pipeline is fast static analysis. It scans code for dangerous patterns – calls that execute arbitrary code or shell commands – and checks every dependency against a live database of known vulnerabilities.

Step‑by‑step: Basic Scanning

1. Scan a local skill directory:

skillspector scan ./my-skill/

2. Scan a single SKILL.md file:

skillspector scan ./SKILL.md

3. Scan a Git repository:

skillspector scan https://github.com/user/my-skill

4. Scan a zip file:

skillspector scan ./my-skill.zip

Output Formats

SkillSpector supports multiple output formats for different use cases:

 Terminal output (default – pretty formatted)
skillspector scan ./my-skill/

JSON output – machine-readable for programmatic processing
skillspector scan ./my-skill/ --format json --output report.json

Markdown output – for documentation
skillspector scan ./my-skill/ --format markdown --output report.md

SARIF output – for CI/CD integration and IDE tooling
skillspector scan ./my-skill/ --format sarif --output report.sarif

Live Vulnerability Lookups (SC4)

SkillSpector uses the OSV.dev API to check dependencies against the full Open Source Vulnerabilities database – covering tens of thousands of advisories across PyPI and npm. No API key is required, and results are cached in-memory for one hour to avoid redundant API calls. If OSV.dev is unreachable (air-gapped/offline environments), a small built-in fallback list is used.

4. LLM Semantic Analysis: Boosting Precision

Stage two is optional LLM semantic analysis. It evaluates context and intent, filters out false positives from the static stage, and pushes precision up to approximately 87%. The LLM prompt includes anti-jailbreak protections to prevent malicious skills from manipulating the analysis.

Step‑by‑step: Configuring LLM Providers

SkillSpector supports multiple LLM providers with bundled default models:

|-|-|-||

Configuration Examples

 OpenAI
export SKILLSPECTOR_PROVIDER=openai
export OPENAI_API_KEY=sk-...
skillspector scan ./my-skill/

Anthropic
export SKILLSPECTOR_PROVIDER=anthropic
export ANTHROPIC_API_KEY=sk-ant-...
skillspector scan ./my-skill/

Anthropic via Vertex-style proxy (corporate gateways, GCP Vertex AI)
export SKILLSPECTOR_PROVIDER=anthropic_proxy
export ANTHROPIC_PROXY_ENDPOINT_URL=https://my-gateway.example.com/models/claude-sonnet-4-6:streamRawPredict
export ANTHROPIC_PROXY_API_KEY=your-bearer-token
export SKILLSPECTOR_MODEL=claude-sonnet-4-6
skillspector scan ./my-skill/

Local Ollama or any OpenAI-compatible endpoint
export SKILLSPECTOR_PROVIDER=openai
export OPENAI_API_KEY=ollama
export OPENAI_BASE_URL=http://localhost:11434/v1
export SKILLSPECTOR_MODEL=llama3.1:8b
skillspector scan ./my-skill/

Skip LLM analysis (faster, static only)
skillspector scan ./my-skill/ --1o-llm

Docker with LLM Analysis

 Using a .env file
cat > .env <<'EOF'
SKILLSPECTOR_PROVIDER=anthropic
ANTHROPIC_API_KEY=sk-ant-...
EOF
docker run --rm -v "$PWD:/scan" --env-file .env skillspector scan ./my-skill/

Passing credentials directly from shell
docker run --rm -v "$PWD:/scan" -e SKILLSPECTOR_PROVIDER=anthropic -e ANTHROPIC_API_KEY="$ANTHROPIC_API_KEY" skillspector scan ./my-skill/

5. Interpreting Risk Scores and Recommendations

Every scan returns a 0-100 risk score with a clear recommendation: SAFE, CAUTION, or DO NOT INSTALL, plus the exact file and line number behind each finding.

Score Calculation:

CRITICAL issues: +50 points each
HIGH issues: +25 points each
MEDIUM issues: +10 points each
LOW issues: +5 points each
Executable scripts: 1.3× multiplier applied to the total score

Severity Levels:

| Score | Severity | Recommendation |

|-|-|-|

| 0-20 | LOW | SAFE |

| 21-50 | MEDIUM | CAUTION |

Example Output:

SkillSpector Security Report v2.0.0
Skill: suspicious-skill
Source: ./suspicious-skill/
Scanned: 2026-01-29 10:30:00 UTC

Risk Assessment
Metric Value
Score 78/100
Severity HIGH
Recommendation DO NOT INSTALL

Components (3)
File Type Lines Executable
SKILL.md markdown 142 No
scripts/sync.py python 87 Yes
requirements.txt text 3 No

Issues (2)
HIGH: Env Variable Harvesting (E2)
Location: scripts/sync.py:23
Finding: for key, val in os.environ.items():...
Confidence: 94%
Explanation: This code collects environment variables containing API keys and
secrets, then sends them to an external server.

HIGH: External Transmission (E1)
Location: scripts/sync.py:45
Finding: requests.post("https://api.skill.io/env"...
Confidence: 89%
Explanation: Data is being sent to an external server. Combined with env
harvesting above, this indicates credential exfiltration.

6. Python API Integration

For programmatic integration into security pipelines, SkillSpector exposes a Python API:

from skillspector import graph

Invoke the LangGraph workflow
result = graph.invoke({
"input_path": "/path/to/skill",
"output_format": "json",  terminal, json, markdown, or sarif
"use_llm": True,  False for static-only analysis
})

Access results
print(f"Risk Score: {result['risk_score']}/100")
print(f"Severity: {result['risk_severity']}")
print(f"Recommendation: {result['risk_recommendation']}")

for finding in result["filtered_findings"]:
print(f"[{finding['severity']}] {finding['rule_id']}: {finding['message']}")

7. CI/CD Integration and Automation

SkillSpector’s SARIF output format enables seamless integration into CI/CD pipelines and IDE tooling. This allows organizations to automatically block the installation of risky skills before they reach production environments.

Step‑by‑step: CI/CD Pipeline Integration

1. Add SkillSpector to your GitHub Actions workflow:

- name: Scan AI agent skills
run: |
pip install skillspector
skillspector scan ./skills/ --format sarif --output report.sarif

2. Upload SARIF results for GitHub Code Scanning:

- name: Upload SARIF to GitHub
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: report.sarif

Fail the build on HIGH or CRITICAL findings:

Parse JSON output and check severity
skillspector scan ./my-skill/ --format json --output report.json
if jq -e '.risk_severity | contains("HIGH") or contains("CRITICAL")' report.json; then
echo "❌ Skill contains HIGH/CRITICAL vulnerabilities. Build failed."
exit 1
fi

Write reports to the host filesystem with Docker:

docker run --rm -v "$PWD:/scan" skillspector scan ./my-skill/ --1o-llm --format json --output report.json

What Undercode Say:

Key Takeaway 1: The implicit trust model in AI agent ecosystems is fundamentally broken. With 26.1% of skills containing vulnerabilities and 5.2% showing malicious intent, organizations cannot afford to rely on manual review alone. SkillSpector provides a systematic, automated approach to skill vetting that scales across thousands of potential installations.
Key Takeaway 2: The two-stage pipeline – static analysis plus optional LLM semantic review – strikes an optimal balance between speed and accuracy. Static analysis provides high recall, catching most issues quickly, while LLM analysis pushes precision to ~87% by filtering false positives and providing human-readable explanations. The anti-jailbreak protections in the LLM prompt are a critical design feature that prevents malicious skills from evading detection through prompt manipulation.
Key Takeaway 3: SkillSpector’s 64 vulnerability patterns across 16 categories demonstrate NVIDIA’s deep understanding of the AI security landscape. From MCP-specific issues like least-privilege violations and tool poisoning to traditional concerns like supply chain attacks and credential exfiltration, the scanner covers the full spectrum of risks facing the AI agent ecosystem. The live OSV.dev integration for dependency vulnerability lookups adds real-time threat intelligence without requiring an API key – a thoughtful design choice that lowers the barrier to adoption.
Analysis: The open-sourcing of SkillSpector under Apache 2.0 is a significant move for the AI security community. By making this tool freely available, NVIDIA is effectively raising the baseline security posture of the entire AI agent ecosystem. The support for multiple output formats (terminal, JSON, Markdown, SARIF) and CI/CD integration means organizations can embed security scanning directly into their development workflows. However, the tool does have limitations – it cannot analyze text in images, encrypted or binary code, or runtime behavior. Organizations should treat SkillSpector as a critical first line of defense, not a complete security solution.

Prediction:

+1 SkillSpector will become the de facto standard for AI agent skill security scanning within 12-18 months. Its open-source nature, comprehensive pattern coverage, and CI/CD integration capabilities position it as the essential tool for any organization deploying AI agents.
+1 The tool will accelerate the development of secure AI agent marketplaces, as platforms adopt SkillSpector’s risk scoring as a mandatory certification requirement for listed skills.
-1 The sophistication of malicious skills will evolve in response to SkillSpector. Attackers will develop techniques to evade static pattern matching and LLM-based detection, necessitating continuous updates to the vulnerability pattern database.
-1 Organizations that fail to integrate skill security scanning into their AI deployment pipelines will face increasing incidents of data exfiltration and credential theft, as the adoption of AI agents outpaces security awareness.
+1 NVIDIA’s investment in AI security will spur other major AI vendors to open-source their own security tools, creating a virtuous cycle of transparency and collective defense.
-1 The 26.1% vulnerability rate among existing skills represents a massive technical debt that will take years to remediate. Organizations must prioritize scanning not just new installations but also their existing skill inventory.
+1 The integration of SkillSpector’s Python API into security orchestration platforms will enable automated remediation workflows, where vulnerable skills are automatically quarantined or updated.
-1 Small teams and individual developers may struggle to implement LLM-based analysis due to API costs, potentially leading to over-reliance on static analysis alone and missing context-dependent vulnerabilities.

▶️ Related Video (74% Match):

https://www.youtube.com/watch?v=c9ov2HeuLQ8

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Sumanth077 Nvidia – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Listen to this Post