NVIDIA just shipped the first dedicated fix for this: SkillSpector, an open-source security scanner built specifically for AI agent skills. 3,063 stars on GitHub, 230 forks, and Apache-2.0 licensed. So I cloned it, ran a scan, and here’s what you need to know.

How SkillSpector Scans AI Agent Skills for Security

SkillSpector answers one question: “Is this skill safe to install?” It scans skill directories, Git repos, zip files, or individual SKILL.md files before you load them into your agent — Claude Code, Codex CLI, Gemini CLI, you name it.

The scanner uses a two-stage pipeline. Stage one is fast static analysis — 64 vulnerability patterns across 16 categories, from prompt injection and data exfiltration to privilege escalation and supply chain risks. While stage two is optional LLM-powered semantic analysis, where it uses an OpenAI, Anthropic, or NVIDIA-compatible model to catch subtle issues regex can’t see.

Severity Scoring

So every scan produces a 0-100 risk score with clear labels:

I tested it on a few skills from my own workflow — a simple file-search skill scored 12/100 (LOW). A community skill that fetches remote data scored 52/100 (HIGH) because it had unpinned dependencies and external script fetching. And the scanner caught something I’d completely missed.

Hands-On: Scanning Agent Skills with SkillSpector

Installation is straightforward for an NVIDIA project. Three commands and you’re scanning:

git clone https://github.com/NVIDIA/skillspector.git
cd skillspector
make install

Then point it at anything:

# Scan a local skill directory
skillspector scan ./my-skill/

# Scan a GitHub repo
skillspector scan https://github.com/user/my-skill

# Scan a single file
skillspector scan ./SKILL.md

I ran it on a skill I pulled from a community marketplace. The output was clear — it flagged a scripts/sync.py file for env variable harvesting (confidence: 94%) and external data transmission to an API endpoint. The report showed me exactly which line, what pattern, and how confident the match was. And it took about 12 seconds for a full scan of a 15-file directory.

Where It Shines (and Where It Doesn’t)

The good: The static analysis goes deep — 16 categories covering everything from MCP tool poisoning to YARA malware signatures. The SARIF output format means you can plug it into CI/CD pipelines. And the live OSV.dev integration checks your skill’s dependencies against known CVEs in real time.

The honest limitations: It’s a static analyzer, so it can’t catch runtime behavior or dynamically loaded code. If a skill only reveals malicious payload at runtime, SkillSpector won’t see it. Non-English skills won’t be analyzed properly — the pattern matching is English-first right now. And you need Python 3.12+, which might mean setting up a separate environment if you’re still on 3.11.

The Bottom Line: AI Supply Chain Security Starts Here

If you use AI agent skills — and if you’re reading ToolGenix, you probably do — SkillSpector is a no-brainer add to your workflow. One command before pip install or load skill could save you from installing something nasty. It’s not a full runtime sandbox, but it’s the best first line of defense we’ve got right now. And the fact that it’s from NVIDIA with Apache-2.0 licensing means it’s not going anywhere.