NVIDIA's SkillSpector scans agent skills for 64 security flaws

NVIDIA released SkillSpector, an open-source security scanner for AI agent skills, on GitHub. The tool detects 64 vulnerability patterns across 16 categories, including prompt injection, data exfiltration, privilege escalation, and supply chain risks. It scans files in SKILL.md format, the emerging standard for packaging agent capabilities used by Claude Code, Codex CLI, and Gemini CLI.

The timing is not accidental. Agent skills execute with implicit trust and minimal vetting, a model that worked when agents were demos and fails now that agents are production infrastructure. NVIDIA cites research in its repository showing that 26.1% of skills contain vulnerabilities and 5.2% show likely malicious intent. Those numbers come from a landscape where no dedicated security tooling existed. SkillSpector is the first attempt to close that gap.

The scanner operates in two stages. First, a static analysis pass checks for 64 patterns using AST inspection, YARA signatures, and taint tracking. Second, an optional LLM pass performs semantic evaluation against an OpenAI-compatible endpoint, which can be Anthropic, NVIDIA’s build.nvidia.com, or a local Ollama instance. The two-stage design matters: the static pass is fast and deterministic, the LLM pass is slower but catches context-dependent issues like description-behavior mismatch in MCP tool definitions.

SkillSpector assigns a risk score from 0 to 100. Critical issues add 50 points, high issues add 25, medium issues add 10, and low issues add 5. Executable scripts get a 1.3x multiplier. Scores above 51 trigger a “DO NOT INSTALL” recommendation. The scoring is blunt but useful — it forces a decision rather than burying the user in a table of findings.

The vulnerability taxonomy is where SkillSpector reveals its real contribution. The 16 categories go beyond conventional software supply chain scanning into agent-specific failure modes that have no analog in traditional package management. “Excessive Agency” flags skills that request unfettered tool access or make high-impact decisions without human-in-the-loop. “Memory Poisoning” detects content designed to persist across interactions and displace safety constraints. “Rogue Agent” catches self-modification at runtime and unauthorized session persistence via cron jobs or startup scripts.

These categories describe a threat model that the industry has been slow to formalize. A conventional vulnerability scanner checks for SQL injection or buffer overflows. SkillSpector checks for a skill that reads your environment variables and POSTs them to an external server, or a skill that uses exec() on network-sourced strings, or a skill whose declared permissions don’t match its actual code behavior. The MCP Least Privilege category alone — undeclared capability, wildcard permissions, missing permission declarations — addresses a class of risk that did not exist two years ago.

The tool also includes live vulnerability lookups via OSV.dev for known CVEs in dependencies, with automatic offline fallback. This is standard supply chain security practice, but its inclusion signals that NVIDIA sees agent skills as subject to the same dependency management discipline as any other software artifact. Skills are not magic. They are code that pulls in packages.

What SkillSpector does not do is as interesting as what it does. It does not enforce a policy. It does not block installation. It does not sandbox the skill after scanning. It produces a report and a recommendation, then leaves the decision to the user or the CI/CD pipeline. That is the right scope for a first release. Enforcing policy requires an ecosystem of trusted registries and signing authorities that does not yet exist. Sandboxing requires operating system support that most agent runtimes do not provide. SkillSpector is the detection layer in a security stack whose prevention and containment layers are still being built.

The SARIF output format is a smart choice. SARIF is the Standard for the Exchange of Audit Findings, supported by GitHub Code Scanning, VS Code, and most CI/CD platforms. By emitting SARIF, SkillSpector integrates into existing developer workflows without requiring a new dashboard or alerting system. The same pipeline that flags a vulnerable npm package can now flag a skill that tries to exfiltrate environment variables.

NVIDIA’s positioning is worth noting. The company is not selling a product here. SkillSpector is MIT-licensed open source, hosted on GitHub, and documented with a development guide covering architecture and package layout. NVIDIA’s motivation is defensive: if agent skills become a vector for supply chain attacks, the backlash will slow adoption of the entire category, including NVIDIA’s own agent infrastructure. Building the security tooling now is cheaper than cleaning up the mess later.

The research statistic in the repository — 26.1% of skills contain vulnerabilities — should give every team deploying agents pause. That number is higher than the vulnerability rate in most npm or PyPI ecosystems, and those ecosystems have decades of security tooling and incident response behind them. Agent skills have none of that. SkillSpector is the first tool, not the last.

The outstanding question is whether the ecosystem will adopt it. SkillSpector scans SKILL.md files, but SKILL.md is not yet a universal format. Claude Code uses it. Codex CLI uses it. Gemini CLI uses it. But the agent ecosystem is fragmented, and a scanner is only as useful as the format it scans. If the major agent platforms standardize on SKILL.md, SkillSpector becomes infrastructure. If they diverge, it becomes a museum piece.

For now, the tool is useful as a diagnostic. Run it against any skill you are considering installing. If it returns a score above 50, do not install. If it returns a score below 20, you still have a skill that executes code with implicit trust — the scanner just did not find anything wrong yet.