NVIDIA released SkillSpector on June 17, an open-source security scanner designed to evaluate AI agent skills for vulnerabilities and malicious behavior before they are installed. The tool, available under the Apache 2.0 license on GitHub, addresses a growing gap in agent infrastructure: most agent frameworks allow skills to execute with implicit trust and minimal vetting.

SkillSpector scans 64 vulnerability patterns organized across 16 categories, according to the project’s documentation. Those categories include prompt injection, data exfiltration, privilege escalation, supply chain attacks, excessive agency, output handling failures, system prompt leakage, memory poisoning, tool misuse, rogue agent behavior, trigger abuse, dangerous code patterns (via AST analysis), taint tracking, YARA signatures, and two MCP-specific categories covering least privilege violations and tool poisoning.

How It Works

The scanner uses a two-stage architecture. The first stage runs fast static analysis using pattern matching and AST parsing. An optional second stage adds LLM-powered semantic evaluation for deeper validation. Live vulnerability lookups query OSV.dev for real-time CVE data, with automatic offline fallback when the service is unavailable.

SkillSpector accepts input from Git repositories, URLs, zip files, local directories, or individual files. It produces reports in terminal, JSON, Markdown, and SARIF formats, the last of which is the standard interchange format for static analysis tools and integrates directly with CI/CD pipelines and GitHub code scanning.

Each scan produces a risk score between 0 and 100, with severity labels and specific recommendations for remediation.

The Problem It Targets

The SkillSpector repository cites research showing that 26.1% of agent skills contain vulnerabilities, and 5.2% show likely malicious intent. The tool is designed to work with skills used by Claude Code, Codex CLI, Gemini CLI, and other agent frameworks that rely on skill packages for extensibility.

The release follows a pattern of agent skill supply chain incidents. In February 2026, Koi Security researchers identified 341 malicious skills on OpenClaw’s ClawHub marketplace, roughly 12% of the registry at the time, in a campaign they called ClawHavoc. Those skills deployed infostealers, reverse shells, and credential-harvesting malware disguised as legitimate productivity tools.

Broader Infrastructure Convergence

SkillSpector arrives alongside several other agent governance and security tools launched in June 2026. Vercel announced its eve framework on June 17 with built-in evaluation and approval workflows. Databricks released Omnigent on June 15 for multi-agent coordination and governance. OpenAI shipped scheduled tasks for ChatGPT on June 17, adding recurring autonomous work capabilities with governance controls.

The convergence suggests that pre-deployment security scanning and governance tooling are becoming baseline requirements for production agent systems, rather than afterthought additions. For teams running agent skill registries or marketplace-style distribution, SkillSpector offers a concrete scanning layer that slots into existing development workflows.