SkillSpector for Agent Skill Security
Agent skills are becoming the new runbooks for AI-assisted operations. That makes them powerful, but also risky. A skill can include instructions, scripts, dependencies, tool permissions, and hidden behavior that an agent may trust during real work. NVIDIA SkillSpector is trending because it treats skills like software supply chain artifacts that need scanning before installation.
For SRE and platform teams, this is the missing review step between "this skill looks useful" and "this skill can touch our repos, shells, tickets, and infrastructure context."
What Is SkillSpector?
SkillSpector is an open-source security scanner for AI agent skills used by tools such as Claude Code, Codex CLI, Gemini CLI, and similar agent runtimes. It scans Git repositories, URLs, zip files, directories, and single SKILL.md files.
The project focuses on risks that normal dependency scanners miss. It looks for prompt injection, data exfiltration, privilege escalation, hidden instructions, memory poisoning, tool misuse, unsafe code execution, MCP permission problems, and supply chain issues.
It uses a two-stage pipeline: fast static analysis first, then optional LLM semantic review for context and false-positive reduction.
Key Features
- 64 patterns across 16 categories including prompt injection, taint flow, YARA signatures, and dangerous AST behavior
- Multi-format input for repos, local folders, archives, URLs, and individual skill files
- Risk score from 0 to 100 with severity labels and install guidance
- JSON, Markdown, SARIF, and terminal output for CI and review workflows
- OSV.dev dependency checks for known CVEs with offline fallback behavior
- Optional LLM review using OpenAI, Anthropic, NVIDIA Build, or local OpenAI-compatible endpoints
Installation
SkillSpector expects Python 3.12 or newer. The project recommends a virtual environment before running the Makefile targets:
git clone https://github.com/NVIDIA/skillspector.git
cd skillspector
uv venv .venv && source .venv/bin/activate
make install
If you prefer not to install Python dependencies on the host, build the Docker image:
make docker-build
docker run --rm -v "$PWD:/scan" skillspector scan ./my-skill/ --no-llm
Usage In SRE Workflows
A simple static scan is enough for a first pass:
skillspector scan ./incident-triage-skill/ --no-llm
For CI, emit SARIF or JSON:
skillspector scan ./skills/ --format sarif --output skillspector.sarif
skillspector scan ./skills/ --format json --output skillspector.json
A practical policy is to block critical and high findings before a skill can be merged into an internal agent catalog. Medium findings should require human review, especially when the skill requests shell access, reads environment variables, calls network endpoints, or installs dependencies.
Operational Tips
Treat skills like privileged automation, not documentation. If a skill can guide an agent during an incident, it deserves code review, ownership, versioning, and security checks.
Start with read-only skills first. Scan them, run them in a sandbox, and compare declared permissions with actual behavior. Watch for broad triggers, curl | bash, unpinned packages, secret reads, and instructions that ask the agent to ignore previous rules.
Add SkillSpector to the same place you review Terraform modules, GitHub Actions, and Kubernetes manifests. Agent instructions are now part of the production control plane.
Conclusion
SkillSpector is useful because it makes agent skill risk visible before trust is granted. As SRE teams adopt AI-assisted runbooks and internal agent catalogs, scanning skills should become a normal release gate.
The bigger lesson is simple: agent behavior is supply chain surface. If a skill can shape what an agent does with production context, it needs the same review discipline as code.
Looking to automate infrastructure operations? Akmatori helps SRE teams reduce toil with AI agents built for real production workflows. For reliable global infrastructure, check out Gcore.