Skip to content
HN On Hacker News ↗

GitHub - NVIDIA/SkillSpector: Security scanner for AI agent skills. Detect vulnerabilities, malicious patterns, and security risks.

▲ 49 points 4 comments by taubek 4w ago HN discussion ↗

Pangram verdict · v3.3

We believe that this document is primarily AI-generated with some human-written content

80 %

AI likelihood · overall

AI
17% human-written 83% AI-generated
SEGMENTS · HUMAN 0 of 6
SEGMENTS · AI 6 of 6
WORD COUNT 1,367
PEAK AI % 99% · §4
Analyzed
Jun 12
backend: pangram/v3.3
Segments scanned
6 windows
avg 228 words each
Distribution
17 / 83%
human / AI fraction
Verdict
AI
Pangram v3.3

Article text · 1,367 words · 6 segments analyzed

Human AI-generated
§1 AI · 98%

Security scanner for AI agent skills. Detect vulnerabilities, malicious patterns, and security risks before installing agent skills.

Overview AI agent skills (used by Claude Code, Codex CLI, Gemini CLI, etc.) execute with implicit trust and minimal vetting. Research shows that 26.1% of skills contain vulnerabilities and 5.2% show likely malicious intent. SkillSpector helps you answer: "Is this skill safe to install?" Documentation

Development guide — Architecture, package layout, and how to extend the analyzer pipeline.

Features

Multi-format input: Scan Git repos, URLs, zip files, directories, or single files 64 vulnerability patterns across 16 categories: prompt injection, data exfiltration, privilege escalation, supply chain, excessive agency, output handling, system prompt leakage, memory poisoning, tool misuse, rogue agent, trigger abuse, dangerous code (AST), taint tracking, YARA signatures, MCP least privilege, and MCP tool poisoning Two-stage analysis: Fast static analysis + optional LLM semantic evaluation Live vulnerability lookups: SC4 queries OSV.dev for real-time CVE data with automatic offline fallback Multiple output formats: Terminal, JSON, Markdown, and SARIF reports Risk scoring: 0-100 score with severity labels and clear recommendations

Quick Start Installation Create and activate a virtual environment first (all make targets assume the venv is active). Use uv or pip; the Makefile uses uv if available, otherwise pip. # Clone the repository git clone https://github.com/NVIDIA/skillspector.git cd skillspector

# Create and activate virtual environment uv venv .venv && source .venv/bin/activate # or: python3 -m venv .venv && source .venv/bin/activate

# Install for production use make install

# Or install with development dependencies make install-dev Basic Usage # Scan a local skill directory skillspector scan ./my-skill/

# Scan a single SKILL.md file skillspector scan ./SKILL.md

# Scan a Git repository skillspector scan https://github.com/user/my-skill

# Scan a zip

§2 AI · 89%

file skillspector scan ./my-skill.zip Output Formats # Terminal output (default) - pretty formatted skillspector scan ./my-skill/

# JSON output - machine readable skillspector scan ./my-skill/ --format json --output report.json

# Markdown output - for documentation skillspector scan ./my-skill/ --format markdown --output report.md

# SARIF output - for CI/CD integration and IDE tooling skillspector scan ./my-skill/ --format sarif --output report.sarif LLM Analysis For the best results, configure an OpenAI-compatible LLM endpoint for semantic analysis. Pick a provider with SKILLSPECTOR_PROVIDER; each ships its own bundled default model. SkillSpector also works against local OpenAI-compatible servers (Ollama, vLLM, llama.cpp) and managed inference gateways.

Provider (SKILLSPECTOR_PROVIDER) Credential env var Endpoint Default model

openai OPENAI_API_KEY (+ optional OPENAI_BASE_URL) api.openai.com (or any OpenAI-compatible URL) gpt-5.4

anthropic ANTHROPIC_API_KEY api.anthropic.com claude-opus-4-6

nv_build NVIDIA_INFERENCE_KEY build.nvidia.com deepseek-ai/deepseek-v4-flash

# Stock OpenAI export SKILLSPECTOR_PROVIDER=openai export OPENAI_API_KEY=sk-... skillspector scan ./my-skill/

# Anthropic export SKILLSPECTOR_PROVIDER=anthropic export ANTHROPIC_API_KEY=sk-ant-... skillspector scan ./my-skill/

# NVIDIA build.nvidia.com export SKILLSPECTOR_PROVIDER=nv_build export NVIDIA_INFERENCE_KEY=nvapi-... skillspector scan ./my-skill/

# Local Ollama or any OpenAI-compatible

§3 AI · 95%

endpoint export SKILLSPECTOR_PROVIDER=openai export OPENAI_API_KEY=ollama export OPENAI_BASE_URL=http://localhost:11434/v1 export SKILLSPECTOR_MODEL=llama3.1:8b skillspector scan ./my-skill/

# Override the provider's default model export SKILLSPECTOR_MODEL=gpt-5.2 skillspector scan ./my-skill/

# Skip LLM analysis (faster, static analysis only) skillspector scan ./my-skill/ --no-llm Vulnerability Patterns SkillSpector detects 64 vulnerability patterns across 16 categories: Prompt Injection (5 patterns)

ID Pattern Severity Description

P1 Instruction Override HIGH Commands to ignore safety constraints

P2 Hidden Instructions HIGH Malicious directives in comments/invisible text

P3 Exfiltration Commands HIGH Instructions to transmit context externally

P4 Behavior Manipulation MEDIUM Subtle instructions altering agent decisions

P5 Harmful Content CRITICAL Instructions that could cause physical harm

Data Exfiltration (4 patterns)

ID Pattern Severity Description

E1 External Transmission MEDIUM Sending data to external URLs

E2 Env Variable Harvesting HIGH Collecting API keys and secrets

E3 File System Enumeration MEDIUM Scanning directories for sensitive files

E4 Context Leakage HIGH Transmitting conversation context externally

Privilege Escalation (3 patterns)

ID Pattern Severity Description

PE1 Excessive Permissions LOW Requesting access beyond stated functionality

PE2 Sudo/Root Execution MEDIUM Invoking elevated system privileges

PE3 Credential Access HIGH Reading SSH keys, tokens, passwords

Supply Chain (6 patterns)

ID Pattern Severity Description

SC1 Unpinned Dependencies LOW No version

§4 AI · 99%

constraints on packages

SC2 External Script Fetching HIGH curl | bash and remote code execution

SC3 Obfuscated Code HIGH Base64/hex encoded execution

SC4 Known Vulnerable Dependencies HIGH Dependencies with known CVEs (live OSV.dev lookup)

SC5 Abandoned Dependencies MEDIUM Unmaintained packages without security updates

SC6 Typosquatting HIGH Package names similar to popular packages

Excessive Agency (4 patterns)

ID Pattern Severity Description

EA1 Unrestricted Tool Access HIGH Unfettered tool access without constraints

EA2 Autonomous Decision Making HIGH High-impact decisions without human-in-the-loop

EA3 Scope Creep MEDIUM Capabilities extending beyond stated purpose

EA4 Unbounded Resource Access MEDIUM No rate limits or quotas on resource consumption

Output Handling (3 patterns)

ID Pattern Severity Description

OH1 Unvalidated Output Injection HIGH Model output used without sanitization

OH2 Cross-Context Output MEDIUM Output flows across trust boundaries without validation

OH3 Unbounded Output MEDIUM No limits on output size or generation rate

System Prompt Leakage (3 patterns)

ID Pattern Severity Description

P6 Direct Leakage HIGH Instructions that expose system prompts or internal rules

P7 Indirect Extraction MEDIUM Extraction via rephrasing, translation, or side-channels

P8 Tool-Based Exfiltration HIGH System prompts exfiltrated via file writes or network requests

Memory Poisoning (3 patterns)

ID Pattern Severity Description

MP1 Persistent Context Injection HIGH Content designed to persist across interactions

MP2 Context Window Stuffing MEDIUM Filler content displacing safety constraints

MP3 Memory Manipulation HIGH Tampering with agent memory or stored state

Tool Misuse (3 patterns)

ID Pattern Severity Description

TM1 Tool Parameter Abuse HIGH Crafted parameters for unintended behavior (shell=True, --force)

§5 AI · 99%

TM2 Chaining Abuse HIGH Tool chains that bypass individual safety checks

TM3 Unsafe Defaults MEDIUM Overly permissive defaults (disabled TLS, no auth)

Rogue Agent (2 patterns)

ID Pattern Severity Description

RA1 Self-Modification CRITICAL Modifying own code or configuration at runtime

RA2 Session Persistence HIGH Unauthorized persistence via cron jobs or startup scripts

Trigger Abuse (3 patterns)

ID Pattern Severity Description

TR1 Overly Broad Trigger MEDIUM Trigger patterns matching common words

TR2 Shadow Command Trigger HIGH Triggers that shadow built-in commands or other skills

TR3 Keyword Baiting Trigger MEDIUM Generic triggers designed to maximize activation

Behavioral AST (8 patterns)

ID Pattern Severity Description

AST1 exec() Call CRITICAL Direct exec() enabling arbitrary code execution

AST2 eval() Call HIGH Direct eval() evaluating arbitrary expressions

AST3 Dynamic Import HIGH __import__() loading arbitrary modules at runtime

AST4 subprocess Call HIGH External command execution via subprocess

AST5 os.system / exec-family HIGH Shell commands via os module

AST6 compile() Call MEDIUM Code object creation from strings

AST7 Dynamic getattr() MEDIUM Arbitrary attribute access with non-literal names

AST8 Dangerous Execution Chain CRITICAL exec/eval combined with dynamic source (network, encoded data)

Taint Tracking (5 patterns)

ID Pattern Severity Description

TT1 Direct Taint Flow HIGH Data flows directly from a source to a sink without sanitization

TT2 Variable-Mediated Taint Flow MEDIUM Data flows from source to sink through intermediate variables

TT3 Credential Exfiltration Chain CRITICAL Credentials (env vars, secrets) flow to network output sinks

TT4 File Read to Network Exfiltration HIGH File contents flow to network output sinks

TT5 External Input to Code Execution CRITICAL Network or user input flows to

§6 AI · 88%

exec/eval/subprocess sinks

YARA Signatures (4 patterns)

ID Pattern Severity Description

YR1 Malware Match CRITICAL YARA rule match for known malware signatures

YR2 Webshell Match CRITICAL YARA rule match for webshell patterns

YR3 Cryptominer Match HIGH YARA rule match for crypto mining indicators

YR4 Hack Tool / Exploit Match HIGH YARA rule match for hack tools or exploit code

MCP Least Privilege (4 patterns)

ID Pattern Severity Description

LP1 Underdeclared Capability HIGH Code uses capabilities not listed in declared permissions

LP2 Wildcard Permission MEDIUM Permission list contains wildcards (*, all, full, any)

LP3 Missing Permission Declaration MEDIUM No permissions field but code has detectable capabilities

LP4 Overdeclared Permission LOW Permission declared but no corresponding code capability found

MCP Tool Poisoning (4 patterns)

ID Pattern Severity Description

TP1 Hidden Instructions HIGH Hidden directives in metadata (HTML comments, zero-width chars, base64, data URIs)

TP2 Unicode Deception HIGH Homoglyphs, RTL overrides, mixed-script identifiers in tool metadata

TP3 Parameter Description Injection MEDIUM Injection patterns in parameter definitions (overrides, system tokens, malicious defaults)

TP4 Description-Behavior Mismatch MEDIUM Declared tool description does not match actual code behavior (LLM-powered)

All detected patterns are listed in the tables above. Risk Scoring Score Calculation

CRITICAL issues: +50 points HIGH issues: +25 points MEDIUM issues: +10 points LOW issues: +5 points Executable scripts: 1.3x multiplier

Severity Levels

Score Severity Recommendation

0-20 LOW SAFE

21-50 MEDIUM CAUTION

51-80