Introduction
SkillSpector is a security analysis tool by NVIDIA that scans AI agent skills, plugins, and tool definitions for vulnerabilities and malicious patterns before they are deployed. As AI agents increasingly rely on third-party skills and integrations, SkillSpector helps teams vet these components for prompt injection, data exfiltration, and other supply-chain risks.
What SkillSpector Does
- Scans agent skill definitions for prompt injection vulnerabilities
- Detects data exfiltration patterns in tool implementations
- Identifies overly permissive access scopes in skill configurations
- Checks for known malicious patterns in MCP server definitions and plugins
- Generates detailed security reports with severity ratings and remediation guidance
Architecture Overview
SkillSpector parses skill manifests and tool definitions into an abstract syntax tree, then applies a set of static analysis rules that check for common attack vectors in AI agent integrations. It combines pattern matching with LLM-assisted analysis to catch both known vulnerability signatures and novel suspicious behaviors.
Self-Hosting & Configuration
- Install via pip and run from the command line against any skill directory
- Configure scanning rules and severity thresholds in a YAML config file
- Integrate into CI/CD pipelines to block unsafe skills before deployment
- Supports scanning of OpenAI function definitions, MCP tools, and LangChain tools
- Output reports in JSON, SARIF, or human-readable formats
Key Features
- Static analysis of agent tool definitions without executing the code
- LLM-assisted detection of subtle prompt injection and social engineering patterns
- SARIF output for integration with GitHub Code Scanning and IDE security panels
- Configurable rule sets to match organizational security policies
- Support for multiple agent framework formats including MCP and OpenAI plugins
Comparison with Similar Tools
- Garak — LLM vulnerability scanner focused on model behavior; SkillSpector focuses on skill and plugin code
- Semgrep — general static analysis; SkillSpector has rules specific to AI agent attack surfaces
- Snyk — dependency vulnerability scanning; SkillSpector covers AI-specific supply chain risks
- Promptfoo — tests LLM prompt robustness; SkillSpector scans the tools and skills agents use
FAQ
Q: What agent frameworks does it support? A: It scans OpenAI function calling specs, MCP server definitions, LangChain tools, and generic Python-based agent skills.
Q: Can it run in a CI pipeline? A: Yes. Use the CLI with JSON or SARIF output and set a severity threshold to fail the build on critical findings.
Q: Does it require an API key? A: The static analysis engine runs locally. The optional LLM-assisted scan mode requires an API key for the configured model.
Q: How does it detect prompt injection in skills? A: It analyzes tool descriptions, parameter schemas, and return value handling for patterns that could manipulate the agent's behavior.