Skip to main content
hc
Submit
toolsSource-backedReview first Safety Privacy

NVIDIA SkillSpector

Apache-2.0 security scanner from NVIDIA for AI agent skills, with static pattern checks, optional LLM semantic analysis, MCP least-privilege and tool poisoning analyzers, OSV.dev vulnerability lookups, risk scoring, and terminal, JSON, Markdown, and SARIF reports.

by NVIDIA·added 2026-06-18·
CLI
HarnessCLI
Review first review before installing

Open the source and read safety notes before installing.

Safety notes

  • SkillSpector is a scanner, not a sandbox. Scanning a Git URL clones code, scanning a URL downloads content, and scanning a zip extracts it; review untrusted inputs in a disposable workspace or container.
  • Use `--no-llm` when skill contents should not be sent to an external model provider for semantic analysis.
  • LLM-based findings are useful triage signals but should not be treated as formal proof that a skill is safe or malicious.
  • SARIF, JSON, Markdown, and terminal reports can include file paths, snippets, tool names, dependency names, vulnerability IDs, and recommendations; handle reports as security-sensitive artifacts.
  • OSV.dev live lookups send dependency package names and versions to the public OSV API, with fallback behavior documented for offline or failed requests.
  • The README classifies the project as useful before installing skills, but operators should still review scripts, permissions, MCP tools, network access, and installer commands manually.

Privacy notes

  • SkillSpector can read skill manifests, source files, scripts, dependencies, local paths, raw URLs, Git clone contents, zip contents, and generated report outputs.
  • Optional LLM analysis may send skill content, code excerpts, metadata, and findings to the configured model provider or OpenAI-compatible endpoint.
  • LangGraph/LangChain-related runtime configuration and any enabled tracing can record scan metadata depending on the local environment variables.
  • Do not scan private skills, customer code, secrets, proprietary prompts, credentials, or regulated data with LLM analysis enabled unless that data flow is approved.

Prerequisites

  • Python 3.12 or newer and a virtual environment, or Docker if building the included container image.
  • Git when scanning remote repositories or installing from the source repository.
  • A local skill directory, single `SKILL.md`, zip archive, raw file URL, or Git repository URL to scan.
  • Provider credentials only if enabling optional LLM semantic analysis with OpenAI, Anthropic, NVIDIA build, or an OpenAI-compatible local endpoint.
  • A policy for handling scan reports, SARIF uploads, temporary clones, downloaded files, and skill source content.

Schema details

Install type
cli
Troubleshooting
No
Source repository stats
Scope
Source repo
Collection metadata
Estimated setup
20 minutes
Difficulty
intermediate
Tool listing metadata
Pricing
free
Disclosure
editorial
Application category
DeveloperApplication
Operating system
Cross-platform
Full copyable content
git clone https://github.com/NVIDIA/SkillSpector.git
cd SkillSpector
uv venv .venv
source .venv/bin/activate
make install

skillspector scan ./my-skill/ --no-llm

About this resource

Overview

NVIDIA SkillSpector is an open-source security scanner for AI agent skills. It is designed to answer a practical question before installing a skill: does this bundle contain risky instructions, scripts, dependencies, permissions, or MCP metadata that deserve review?

Use it as a pre-install or CI triage tool for Claude Code, Codex CLI, Gemini CLI, Cursor, and other Agent Skills-style ecosystems. It accepts Git repositories, URLs, zip files, directories, and single files, then produces risk-scored terminal, JSON, Markdown, or SARIF reports.

Install

The README documents source-based installation in an activated virtual environment:

git clone https://github.com/NVIDIA/SkillSpector.git
cd SkillSpector
uv venv .venv
source .venv/bin/activate
make install

Run a static-only scan without sending content to an LLM provider:

skillspector scan ./my-skill/ --no-llm

Generate machine-readable output:

skillspector scan ./my-skill/ --no-llm --format json --output report.json
skillspector scan ./my-skill/ --no-llm --format sarif --output report.sarif

The README also documents Docker builds and optional LLM analysis through OpenAI, Anthropic, NVIDIA build, or OpenAI-compatible local endpoints.

Capabilities

Area SkillSpector Coverage
Inputs Git repositories, raw file URLs, local zip files, single Markdown files, and local directories
Static analysis Prompt injection, data exfiltration, privilege escalation, supply-chain, excessive agency, output handling, memory poisoning, tool misuse, rogue-agent, trigger abuse, YARA, AST, and taint checks
MCP security Dedicated MCP least-privilege and MCP tool-poisoning analyzers
LLM analysis Optional semantic review for developer intent, security discovery, quality policy, and description-behavior mismatch
Dependency risk OSV.dev live vulnerability lookups with documented fallback behavior
Reporting Terminal, JSON, Markdown, and SARIF output with risk scoring and severity labels

Use Cases

  • Scan a third-party Agent Skill before installing it into Claude Code, Codex, Gemini CLI, Cursor, or a similar agent runtime.
  • Add a static-only --no-llm check to a skill registry review workflow.
  • Generate SARIF for CI, code scanning, or security-review artifacts.
  • Review MCP-enabled skills for underdeclared capabilities, wildcard permissions, missing permissions, overdeclared permissions, hidden tool instructions, Unicode deception, parameter injection, and description-behavior mismatches.
  • Triage suspected malicious skills that ask for broad shell, file, network, environment, memory, or MCP tool access.

Source Review

Verified on 2026-06-18:

  • The upstream README describes SkillSpector as a security scanner for AI agent skills used by Claude Code, Codex CLI, Gemini CLI, and similar tools.
  • The README states that SkillSpector scans Git repos, URLs, zip files, directories, and single files.
  • The README lists 64 vulnerability patterns across 16 categories, including prompt injection, data exfiltration, privilege escalation, supply-chain risk, excessive agency, output handling, memory poisoning, tool misuse, rogue agent, trigger abuse, YARA signatures, MCP least privilege, and MCP tool poisoning.
  • The README documents fast static analysis plus optional LLM semantic evaluation.
  • The README documents terminal, JSON, Markdown, and SARIF output, with risk scoring and recommendations.
  • pyproject.toml declares the skillspector CLI, Python 3.12+ support, Apache-2.0 licensing, LangGraph, OpenAI, Anthropic, NVIDIA, YARA, and security-scanner dependencies.
  • src/skillspector/cli.py exposes skillspector scan, --no-llm, --format, --output, and --yara-rules-dir options and exits nonzero for high-risk scan results.
  • src/skillspector/input_handler.py resolves Git URLs, raw file URLs, local zip files, single Markdown files, and directories into a local scan path.
  • docs/B.3.1-mcp-least-privilege.md documents implemented MCP least-privilege checks for underdeclared, wildcard, missing, and overdeclared permissions.
  • docs/B.3.2-mcp-tool-poisoning.md documents implemented tool-poisoning checks for hidden instructions, Unicode deception, parameter injection, and description-behavior mismatch.
  • docs/SC4-osv-live-vulnerability-lookups.md documents OSV.dev batch lookups, caching, fallback behavior, severity mapping, and validation tests.
  • GitHub metadata reported the repository under NVIDIA/SkillSpector, Apache 2.0 licensing, Python as the primary language, active updates in June 2026, and no latest GitHub release at the time of review.
  • PyPI did not resolve a public skillspector package at review time, so this entry uses the source install path from the README instead of a package URL.

Safety and Privacy

SkillSpector helps reduce skill-install risk, but it does not make untrusted skills safe to execute. Use it before installation, inspect the flagged files manually, and prefer disposable workspaces or containers when scanning unknown repositories, URLs, or zip archives.

Static-only scans avoid model-provider disclosure. If LLM analysis is enabled, skill content and findings can leave the local machine through the configured provider or endpoint. Treat reports as sensitive because they may include paths, source snippets, dependency names, vulnerability IDs, and details about private agent workflows.

Duplicate Check

Checked current content/tools/, content/skills/, content/mcp/, content/agents/, README entries, open pull requests, and repository-wide content for SkillSpector, NVIDIA SkillSpector, NVIDIA/SkillSpector, skillspector, agent skill scanner, malicious skill detection, MCP least privilege scanner, and MCP tool poisoning scanner. No dedicated SkillSpector entry, exact source URL duplicate, target file, or open duplicate PR was found.

Disclosure

Editorial listing. No paid placement or affiliate link is used. NVIDIA SkillSpector is Apache-2.0 open-source software; model providers, OSV.dev, LangGraph/LangChain tracing, Docker images, Git hosting, CI systems, SARIF viewers, and scanned skill sources may have separate terms, billing, retention, privacy controls, and operational requirements.

#skillspector#nvidia#agent-skills#security#static-analysis#mcp-security#sarif#osv

Source citations

Add this badge to your README

Show that NVIDIA SkillSpector is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/tools/nvidia-skillspector.svg)](https://heyclau.de/entry/tools/nvidia-skillspector)

How it compares

NVIDIA SkillSpector side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

Field
NVIDIA SkillSpector

Apache-2.0 security scanner from NVIDIA for AI agent skills, with static pattern checks, optional LLM semantic analysis, MCP least-privilege and tool poisoning analyzers, OSV.dev vulnerability lookups, risk scoring, and terminal, JSON, Markdown, and SARIF reports.

Open dossier
Snyk Agent Scan

Security scanner from Snyk for discovering local AI agent components, including MCP servers and Agent Skills, and checking them for prompt injection, tool poisoning, tool shadowing, toxic flows, malware payloads, credential handling, and hardcoded secrets.

Open dossier
Cursor logoSkillshare

MIT-licensed Go CLI for syncing AI agent skills, agents, rules, commands, prompts, and other file-based resources across Codex, Claude Code, OpenClaw, Cursor, Windsurf, Gemini-style targets, and dozens of other AI CLI tools.

Open dossier
Browser Harness logoBrowser Harness

MIT-licensed CDP browser-control harness from Browser Use that lets Claude Code, Codex, and other coding agents connect to a real or cloud Chrome browser, use screenshots and coordinate clicks, edit task-specific helpers, and optionally learn reusable domain skills for web automation workflows.

Open dossier
Trust
Install riskReview firstReview firstReview firstReview first
Notes Safety Privacy Safety Privacy Safety Privacy Safety Privacy
BrandCursor logoCursorBrowser Harness logoBrowser Harness
Categorytoolstoolstoolstools
Sourcesource-backedsource-backedsource-backedsource-backed
AuthorNVIDIASnykrunkidsBrowser Use
Added2026-06-182026-06-182026-06-182026-06-18
Platforms
CLI
CLI
CursorCodexCLI
CodexCLI
Source repo
Safety notesSkillSpector is a scanner, not a sandbox. Scanning a Git URL clones code, scanning a URL downloads content, and scanning a zip extracts it; review untrusted inputs in a disposable workspace or container. Use `--no-llm` when skill contents should not be sent to an external model provider for semantic analysis. LLM-based findings are useful triage signals but should not be treated as formal proof that a skill is safe or malicious. SARIF, JSON, Markdown, and terminal reports can include file paths, snippets, tool names, dependency names, vulnerability IDs, and recommendations; handle reports as security-sensitive artifacts. OSV.dev live lookups send dependency package names and versions to the public OSV API, with fallback behavior documented for offline or failed requests. The README classifies the project as useful before installing skills, but operators should still review scripts, permissions, MCP tools, network access, and installer commands manually.Scanning MCP configuration files can execute the commands declared for stdio MCP servers so Agent Scan can retrieve tool descriptions. Interactive scans ask for consent before starting each stdio MCP server; review the command and arguments before approving. Use `--dangerously-run-mcp-servers` only in trusted environments after verifying every MCP server command. CLI output is marked experimental upstream, so avoid building brittle production parsers around issue codes or output fields without Snyk guidance. Sandbox untrusted third-party MCP configs, skills, plugins, or agent workspaces before scanning.Skillshare writes into multiple agent skill directories. A bad sync can propagate unsafe, stale, or target-incompatible instructions across every configured AI CLI. Run `skillshare sync --dry-run` before the first sync, after target changes, and before `--force`, especially when local skills already exist in target directories. The README documents shell and PowerShell installers that download and execute release artifacts from GitHub. Inspect installer scripts or use a pinned release/Homebrew path when supply-chain control matters. The Unix installer may use `sudo` when installing to `/usr/local/bin`; review `INSTALL_DIR` and PATH behavior before running in managed environments. The audit engine is a useful gate for prompt injection, hidden Unicode, credential access, data exfiltration, destructive commands, hardcoded secrets, and tamper checks, but it is pattern-based and does not prove a skill is safe. Avoid `--force` and broad include patterns until target filters, `.skillignore`, copy/symlink behavior, and backups have been reviewed.Browser Harness can connect agents to a real logged-in Chrome profile. Remote debugging may expose active sessions, extensions, bookmarks, history, page content, downloads, uploads, and account actions to the agent. The documented Way 1 setup uses the user's everyday Chrome profile through `chrome://inspect/#remote-debugging`; require explicit user consent before attaching to sensitive accounts. The documented Way 2 setup launches Chrome with a non-default `--user-data-dir` and remote debugging port; keep that isolated profile separate from everyday browser data. Remote Browser Use Cloud sessions require `BROWSER_USE_API_KEY`, may use proxies, can persist profile state, and can continue billing until timeout or shutdown. Agents using Browser Harness can edit `agent-workspace/agent_helpers.py` and optional domain-skill files; review generated helper code and public skill contributions before reuse. Browser automation can submit forms, send messages, purchase items, scrape websites, change account settings, and upload files. Keep destructive or account-writing tasks behind confirmation.
Privacy notesSkillSpector can read skill manifests, source files, scripts, dependencies, local paths, raw URLs, Git clone contents, zip contents, and generated report outputs. Optional LLM analysis may send skill content, code excerpts, metadata, and findings to the configured model provider or OpenAI-compatible endpoint. LangGraph/LangChain-related runtime configuration and any enabled tracing can record scan metadata depending on the local environment variables. Do not scan private skills, customer code, secrets, proprietary prompts, credentials, or regulated data with LLM analysis enabled unless that data flow is approved.Agent Scan can discover local agent configuration paths, MCP server names, commands, arguments, tool names, descriptions, prompts, resources, skill text, and local component inventories. The README states skills, agent applications, tool names, and descriptions are shared with Snyk for validation. Control-server bootstrap can send redacted CLI args, OS and Python details, hostname, username, shell, locale, timezone, working directory, home directory, executable path, and readable home-directory metadata when enabled. Review Snyk Agent Scan terms, enterprise deployment guidance, and organization policy before scanning customer data, proprietary skills, or sensitive agent configurations.Skillshare can read, copy, symlink, collect, audit, back up, commit, push, and pull local skill, agent, rule, command, prompt, and extra files. Skills can contain prompts, workflow instructions, local paths, target-specific rules, credentials by mistake, internal URLs, repository conventions, customer context, or model-provider guidance. Audit reports, backups, UI views, logs, git commits, and synced target directories can reveal the contents of private skills and agent instructions. Remote installs from GitHub, GitLab, Bitbucket, Azure DevOps, or self-hosted Git expose repository URLs and may fetch untrusted content into the local source directory before sync. The README describes Skillshare as local, lightweight, offline-capable, and without telemetry; still treat any configured remotes, git pushes, setup actions, and hosted documentation links as external data flows.Browser Harness workflows can expose page screenshots, DOM text, URLs, cookies-backed login state, account data, downloads, uploads, form inputs, and extracted website data to the agent and configured model providers. Profile sync for Browser Use Cloud is documented as cookies-only, but it still moves browser authentication material into a remote browser environment. Cloud browser live URLs, proxy settings, profile identifiers, daemon logs, `/tmp` socket or pid files, and copied support artifacts may reveal browsing activity or account context. Public domain-skill PRs should not include secrets, private selectors tied to confidential apps, customer data, screenshots, credentials, tokens, or personal browsing history.
Prerequisites
  • Python 3.12 or newer and a virtual environment, or Docker if building the included container image.
  • Git when scanning remote repositories or installing from the source repository.
  • A local skill directory, single `SKILL.md`, zip archive, raw file URL, or Git repository URL to scan.
  • Provider credentials only if enabling optional LLM semantic analysis with OpenAI, Anthropic, NVIDIA build, or an OpenAI-compatible local endpoint.
  • Python 3.10 or newer, through uv/uvx or another supported Python package execution path.
  • A Snyk account and `SNYK_TOKEN` environment variable for scan verification.
  • Permission to inspect the local user's AI agent configuration files, MCP server configs, and Agent Skill directories.
  • A sandbox, VM, container, or disposable environment when scanning untrusted MCP configs.
  • A supported install path: Homebrew, GitHub release archive, shell installer, PowerShell installer, or GitHub Actions setup action.
  • One or more local AI CLI tools with skill directories, such as Codex, Claude Code, OpenClaw, Cursor, OpenCode, Windsurf, Qwen, Goose, or a custom target.
  • A source directory for reviewed skills, agents, and extras, or a project-level `.skillshare/` configuration for repo-local skills.
  • A policy for symlink, copy, or merge mode per target, especially on Windows or tools that cannot follow symlinks.
  • Python 3.11 or newer, uv, git, and a durable local checkout for editable installation.
  • A Chrome or Chromium-based browser that can be attached through Chrome remote debugging, or a Browser Use Cloud API key for cloud browsers.
  • Codex, Claude Code, or another agent host that can read the Browser Harness `SKILL.md` instructions.
  • A clear boundary for which browser profile, logged-in sites, cloud browser sessions, downloads, uploads, and account actions the agent may access.
Install
git clone https://github.com/NVIDIA/SkillSpector.git && cd SkillSpector && make install
uvx snyk-agent-scan@latest
brew install skillshare
git clone https://github.com/browser-use/browser-harness && cd browser-harness && uv tool install -e .
Config
{
  "staticOnly": "skillspector scan ./my-skill/ --no-llm",
  "jsonReport": "skillspector scan ./my-skill/ --no-llm --format json --output report.json",
  "sarifReport": "skillspector scan ./my-skill/ --no-llm --format sarif --output report.sarif"
}
source: ~/.config/skillshare/skills
mode: merge
targets:
  claude:
    path: ~/.claude/skills
  codex:
    path: ~/.codex/skills
    mode: symlink
  openclaw:
    path: ~/.openclaw/skills
  cursor:
    path: ~/.cursor/skills
    mode: copy
ignore:
  - "**/.git/**"
  - "**/node_modules/**"
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.