[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-83561":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":18,"compositeScore":19,"rankGlobal":9,"rankLanguage":9,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":23,"hasPages":21,"topics":24,"createdAt":9,"pushedAt":9,"updatedAt":25,"readmeContent":26,"aiSummary":9,"trendingCount":15,"starSnapshotCount":15,"syncStatus":27,"lastSyncTime":28,"discoverSource":29},83561,"SkillSpector","NVIDIA\u002FSkillSpector","NVIDIA","Security scanner for AI agent skills. Detect vulnerabilities, malicious patterns, and security risks.",null,"Python",2088,181,11,10,0,833,834,2499,108.78,"Apache License 2.0",false,"main",true,[],"2026-06-12 04:01:41","# SkillSpector\n\n**Security scanner for AI agent skills.** Detect vulnerabilities, malicious patterns, and security risks before installing agent skills.\n\n[![Python 3.12+](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fpython-3.12+-blue.svg)](https:\u002F\u002Fwww.python.org\u002Fdownloads\u002F)\n[![License: Apache 2.0](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-Apache%202.0-blue.svg)](https:\u002F\u002Fwww.apache.org\u002Flicenses\u002FLICENSE-2.0)\n\n## Overview\n\nAI agent skills (used by Claude Code, Codex CLI, Gemini CLI, etc.) execute with implicit trust and minimal vetting. Research shows that **26.1% of skills contain vulnerabilities** and **5.2% show likely malicious intent**.\n\nSkillSpector helps you answer: **\"Is this skill safe to install?\"**\n\n## Documentation\n\n- **[Development guide](docs\u002FDEVELOPMENT.md)** — Architecture, package layout, and how to extend the analyzer pipeline.\n- **[OSS_RELEASE.md](OSS_RELEASE.md)** — How to produce a public-OSS branch from this repo.\n\n## Features\n\n- **Multi-format input**: Scan Git repos, URLs, zip files, directories, or single files\n- **64 vulnerability patterns** across 16 categories: prompt injection, data exfiltration, privilege escalation, supply chain, excessive agency, output handling, system prompt leakage, memory poisoning, tool misuse, rogue agent, trigger abuse, dangerous code (AST), taint tracking, YARA signatures, MCP least privilege, and MCP tool poisoning\n- **Two-stage analysis**: Fast static analysis + optional LLM semantic evaluation\n- **Live vulnerability lookups**: SC4 queries [OSV.dev](https:\u002F\u002Fosv.dev) for real-time CVE data with automatic offline fallback\n- **Multiple output formats**: Terminal, JSON, Markdown, and SARIF reports\n- **Risk scoring**: 0-100 score with severity labels and clear recommendations\n\n## Quick Start\n\n### Installation\n\nCreate and activate a virtual environment first (all `make` targets assume the venv is active). Use **uv** or **pip**; the Makefile uses `uv` if available, otherwise `pip`.\n\n```bash\n# Clone the repository\ngit clone https:\u002F\u002Fgithub.com\u002FNVIDIA\u002Fskillspector.git\ncd skillspector\n\n# Create and activate virtual environment\nuv venv .venv && source .venv\u002Fbin\u002Factivate\n# or: python3 -m venv .venv && source .venv\u002Fbin\u002Factivate\n\n# Install for production use\nmake install\n\n# Or install with development dependencies\nmake install-dev\n```\n\n### Basic Usage\n\n```bash\n# Scan a local skill directory\nskillspector scan .\u002Fmy-skill\u002F\n\n# Scan a single SKILL.md file\nskillspector scan .\u002FSKILL.md\n\n# Scan a Git repository\nskillspector scan https:\u002F\u002Fgithub.com\u002Fuser\u002Fmy-skill\n\n# Scan a zip file\nskillspector scan .\u002Fmy-skill.zip\n```\n\n### Output Formats\n\n```bash\n# Terminal output (default) - pretty formatted\nskillspector scan .\u002Fmy-skill\u002F\n\n# JSON output - machine readable\nskillspector scan .\u002Fmy-skill\u002F --format json --output report.json\n\n# Markdown output - for documentation\nskillspector scan .\u002Fmy-skill\u002F --format markdown --output report.md\n\n# SARIF output - for CI\u002FCD integration and IDE tooling\nskillspector scan .\u002Fmy-skill\u002F --format sarif --output report.sarif\n```\n\n### LLM Analysis\n\nFor the best results, configure an OpenAI-compatible LLM endpoint for\nsemantic analysis. Pick a provider with `SKILLSPECTOR_PROVIDER`; each\nships its own bundled default model. SkillSpector also works against\nlocal OpenAI-compatible servers (Ollama, vLLM, llama.cpp) and managed\ninference gateways.\n\n| Provider (`SKILLSPECTOR_PROVIDER`) | Credential env var | Endpoint | Default model |\n|----------|----|----|----|\n| `openai` | `OPENAI_API_KEY` (+ optional `OPENAI_BASE_URL`) | api.openai.com (or any OpenAI-compatible URL) | `gpt-5.4` |\n| `anthropic` | `ANTHROPIC_API_KEY` | api.anthropic.com | `claude-opus-4-6` |\n| `nv_build` | `NVIDIA_INFERENCE_KEY` | build.nvidia.com | `deepseek-ai\u002Fdeepseek-v4-flash` |\n\n```bash\n# Stock OpenAI\nexport SKILLSPECTOR_PROVIDER=openai\nexport OPENAI_API_KEY=sk-...\nskillspector scan .\u002Fmy-skill\u002F\n\n# Anthropic\nexport SKILLSPECTOR_PROVIDER=anthropic\nexport ANTHROPIC_API_KEY=sk-ant-...\nskillspector scan .\u002Fmy-skill\u002F\n\n# NVIDIA build.nvidia.com\nexport SKILLSPECTOR_PROVIDER=nv_build\nexport NVIDIA_INFERENCE_KEY=nvapi-...\nskillspector scan .\u002Fmy-skill\u002F\n\n# Local Ollama or any OpenAI-compatible endpoint\nexport SKILLSPECTOR_PROVIDER=openai\nexport OPENAI_API_KEY=ollama\nexport OPENAI_BASE_URL=http:\u002F\u002Flocalhost:11434\u002Fv1\nexport SKILLSPECTOR_MODEL=llama3.1:8b\nskillspector scan .\u002Fmy-skill\u002F\n\n# Override the provider's default model\nexport SKILLSPECTOR_MODEL=gpt-5.2\nskillspector scan .\u002Fmy-skill\u002F\n\n# Skip LLM analysis (faster, static analysis only)\nskillspector scan .\u002Fmy-skill\u002F --no-llm\n```\n\n## Vulnerability Patterns\n\nSkillSpector detects **64 vulnerability patterns** across 16 categories:\n\n### Prompt Injection (5 patterns)\n\n| ID | Pattern | Severity | Description |\n|----|---------|----------|-------------|\n| P1 | Instruction Override | HIGH | Commands to ignore safety constraints |\n| P2 | Hidden Instructions | HIGH | Malicious directives in comments\u002Finvisible text |\n| P3 | Exfiltration Commands | HIGH | Instructions to transmit context externally |\n| P4 | Behavior Manipulation | MEDIUM | Subtle instructions altering agent decisions |\n| P5 | Harmful Content | CRITICAL | Instructions that could cause physical harm |\n\n### Data Exfiltration (4 patterns)\n\n| ID | Pattern | Severity | Description |\n|----|---------|----------|-------------|\n| E1 | External Transmission | MEDIUM | Sending data to external URLs |\n| E2 | Env Variable Harvesting | HIGH | Collecting API keys and secrets |\n| E3 | File System Enumeration | MEDIUM | Scanning directories for sensitive files |\n| E4 | Context Leakage | HIGH | Transmitting conversation context externally |\n\n### Privilege Escalation (3 patterns)\n\n| ID | Pattern | Severity | Description |\n|----|---------|----------|-------------|\n| PE1 | Excessive Permissions | LOW | Requesting access beyond stated functionality |\n| PE2 | Sudo\u002FRoot Execution | MEDIUM | Invoking elevated system privileges |\n| PE3 | Credential Access | HIGH | Reading SSH keys, tokens, passwords |\n\n### Supply Chain (6 patterns)\n\n| ID | Pattern | Severity | Description |\n|----|---------|----------|-------------|\n| SC1 | Unpinned Dependencies | LOW | No version constraints on packages |\n| SC2 | External Script Fetching | HIGH | curl \\| bash and remote code execution |\n| SC3 | Obfuscated Code | HIGH | Base64\u002Fhex encoded execution |\n| SC4 | Known Vulnerable Dependencies | HIGH | Dependencies with known CVEs (live OSV.dev lookup) |\n| SC5 | Abandoned Dependencies | MEDIUM | Unmaintained packages without security updates |\n| SC6 | Typosquatting | HIGH | Package names similar to popular packages |\n\n### Excessive Agency (4 patterns)\n\n| ID | Pattern | Severity | Description |\n|----|---------|----------|-------------|\n| EA1 | Unrestricted Tool Access | HIGH | Unfettered tool access without constraints |\n| EA2 | Autonomous Decision Making | HIGH | High-impact decisions without human-in-the-loop |\n| EA3 | Scope Creep | MEDIUM | Capabilities extending beyond stated purpose |\n| EA4 | Unbounded Resource Access | MEDIUM | No rate limits or quotas on resource consumption |\n\n### Output Handling (3 patterns)\n\n| ID | Pattern | Severity | Description |\n|----|---------|----------|-------------|\n| OH1 | Unvalidated Output Injection | HIGH | Model output used without sanitization |\n| OH2 | Cross-Context Output | MEDIUM | Output flows across trust boundaries without validation |\n| OH3 | Unbounded Output | MEDIUM | No limits on output size or generation rate |\n\n### System Prompt Leakage (3 patterns)\n\n| ID | Pattern | Severity | Description |\n|----|---------|----------|-------------|\n| P6 | Direct Leakage | HIGH | Instructions that expose system prompts or internal rules |\n| P7 | Indirect Extraction | MEDIUM | Extraction via rephrasing, translation, or side-channels |\n| P8 | Tool-Based Exfiltration | HIGH | System prompts exfiltrated via file writes or network requests |\n\n### Memory Poisoning (3 patterns)\n\n| ID | Pattern | Severity | Description |\n|----|---------|----------|-------------|\n| MP1 | Persistent Context Injection | HIGH | Content designed to persist across interactions |\n| MP2 | Context Window Stuffing | MEDIUM | Filler content displacing safety constraints |\n| MP3 | Memory Manipulation | HIGH | Tampering with agent memory or stored state |\n\n### Tool Misuse (3 patterns)\n\n| ID | Pattern | Severity | Description |\n|----|---------|----------|-------------|\n| TM1 | Tool Parameter Abuse | HIGH | Crafted parameters for unintended behavior (shell=True, --force) |\n| TM2 | Chaining Abuse | HIGH | Tool chains that bypass individual safety checks |\n| TM3 | Unsafe Defaults | MEDIUM | Overly permissive defaults (disabled TLS, no auth) |\n\n### Rogue Agent (2 patterns)\n\n| ID | Pattern | Severity | Description |\n|----|---------|----------|-------------|\n| RA1 | Self-Modification | CRITICAL | Modifying own code or configuration at runtime |\n| RA2 | Session Persistence | HIGH | Unauthorized persistence via cron jobs or startup scripts |\n\n### Trigger Abuse (3 patterns)\n\n| ID | Pattern | Severity | Description |\n|----|---------|----------|-------------|\n| TR1 | Overly Broad Trigger | MEDIUM | Trigger patterns matching common words |\n| TR2 | Shadow Command Trigger | HIGH | Triggers that shadow built-in commands or other skills |\n| TR3 | Keyword Baiting Trigger | MEDIUM | Generic triggers designed to maximize activation |\n\n### Behavioral AST (8 patterns)\n\n| ID | Pattern | Severity | Description |\n|----|---------|----------|-------------|\n| AST1 | exec() Call | CRITICAL | Direct exec() enabling arbitrary code execution |\n| AST2 | eval() Call | HIGH | Direct eval() evaluating arbitrary expressions |\n| AST3 | Dynamic Import | HIGH | \\_\\_import\\_\\_() loading arbitrary modules at runtime |\n| AST4 | subprocess Call | HIGH | External command execution via subprocess |\n| AST5 | os.system \u002F exec-family | HIGH | Shell commands via os module |\n| AST6 | compile() Call | MEDIUM | Code object creation from strings |\n| AST7 | Dynamic getattr() | MEDIUM | Arbitrary attribute access with non-literal names |\n| AST8 | Dangerous Execution Chain | CRITICAL | exec\u002Feval combined with dynamic source (network, encoded data) |\n\n### Taint Tracking (5 patterns)\n\n| ID | Pattern | Severity | Description |\n|----|---------|----------|-------------|\n| TT1 | Direct Taint Flow | HIGH | Data flows directly from a source to a sink without sanitization |\n| TT2 | Variable-Mediated Taint Flow | MEDIUM | Data flows from source to sink through intermediate variables |\n| TT3 | Credential Exfiltration Chain | CRITICAL | Credentials (env vars, secrets) flow to network output sinks |\n| TT4 | File Read to Network Exfiltration | HIGH | File contents flow to network output sinks |\n| TT5 | External Input to Code Execution | CRITICAL | Network or user input flows to exec\u002Feval\u002Fsubprocess sinks |\n\n### YARA Signatures (4 patterns)\n\n| ID | Pattern | Severity | Description |\n|----|---------|----------|-------------|\n| YR1 | Malware Match | CRITICAL | YARA rule match for known malware signatures |\n| YR2 | Webshell Match | CRITICAL | YARA rule match for webshell patterns |\n| YR3 | Cryptominer Match | HIGH | YARA rule match for crypto mining indicators |\n| YR4 | Hack Tool \u002F Exploit Match | HIGH | YARA rule match for hack tools or exploit code |\n\n### MCP Least Privilege (4 patterns)\n\n| ID | Pattern | Severity | Description |\n|----|---------|----------|-------------|\n| LP1 | Underdeclared Capability | HIGH | Code uses capabilities not listed in declared permissions |\n| LP2 | Wildcard Permission | MEDIUM | Permission list contains wildcards (\\*, all, full, any) |\n| LP3 | Missing Permission Declaration | MEDIUM | No permissions field but code has detectable capabilities |\n| LP4 | Overdeclared Permission | LOW | Permission declared but no corresponding code capability found |\n\n### MCP Tool Poisoning (4 patterns)\n\n| ID | Pattern | Severity | Description |\n|----|---------|----------|-------------|\n| TP1 | Hidden Instructions | HIGH | Hidden directives in metadata (HTML comments, zero-width chars, base64, data URIs) |\n| TP2 | Unicode Deception | HIGH | Homoglyphs, RTL overrides, mixed-script identifiers in tool metadata |\n| TP3 | Parameter Description Injection | MEDIUM | Injection patterns in parameter definitions (overrides, system tokens, malicious defaults) |\n| TP4 | Description-Behavior Mismatch | MEDIUM | Declared tool description does not match actual code behavior (LLM-powered) |\n\nView all patterns:\n```bash\nskillspector patterns\n```\n\n## Risk Scoring\n\n### Score Calculation\n\n- **CRITICAL issues**: +50 points\n- **HIGH issues**: +25 points\n- **MEDIUM issues**: +10 points\n- **LOW issues**: +5 points\n- **Executable scripts**: 1.3x multiplier\n\n### Severity Levels\n\n| Score | Severity | Recommendation |\n|-------|----------|----------------|\n| 0-20 | LOW | SAFE |\n| 21-50 | MEDIUM | CAUTION |\n| 51-80 | HIGH | DO NOT INSTALL |\n| 81-100 | CRITICAL | DO NOT INSTALL |\n\n## Example Output\n\n### Terminal Output\n\n```\n SkillSpector Security Report  v0.1.0\n\nSkill: suspicious-skill\nSource: .\u002Fsuspicious-skill\u002F\nScanned: 2026-01-29 10:30:00 UTC\n\n        Risk Assessment\n Metric          Value\n Score           78\u002F100\n Severity        HIGH\n Recommendation  DO NOT INSTALL\n\n        Components (3)\n File              Type      Lines  Executable\n SKILL.md          markdown    142  No\n scripts\u002Fsync.py   python       87  Yes\n requirements.txt  text          3  No\n\nIssues (2)\n\n  HIGH: Env Variable Harvesting (E2)\n    Location: scripts\u002Fsync.py:23\n    Finding: for key, val in os.environ.items():...\n    Confidence: 94%\n    Explanation: This code collects environment variables containing\n    API keys and secrets, then sends them to an external server.\n\n  HIGH: External Transmission (E1)\n    Location: scripts\u002Fsync.py:45\n    Finding: requests.post(\"https:\u002F\u002Fapi.skill.io\u002Fenv\"...\n    Confidence: 89%\n    Explanation: Data is being sent to an external server. Combined\n    with env harvesting above, this indicates credential exfiltration.\n```\n\n## Configuration\n\n### Environment Variables\n\n| Variable | Description | Required |\n|----------|-------------|----------|\n| `SKILLSPECTOR_PROVIDER` | Active LLM provider: `openai`, `anthropic`, or `nv_build`. Each provider has its own bundled `model_registry.yaml` and default model (see the LLM Analysis table above). Defaults to `nv_build`. | Optional |\n| `NVIDIA_INFERENCE_KEY` | Credential for the `nv_build` provider (build.nvidia.com). | Required for LLM analysis when `SKILLSPECTOR_PROVIDER=nv_build` |\n| `OPENAI_API_KEY` | Credential for the OpenAI provider (`SKILLSPECTOR_PROVIDER=openai`). Also serves as the tier-2 fallback in the credential waterfall when the active provider returns no credentials. | Required for LLM analysis when `SKILLSPECTOR_PROVIDER=openai` |\n| `OPENAI_BASE_URL` | Override the OpenAI endpoint (e.g. point at Ollama). | Optional |\n| `ANTHROPIC_API_KEY` | Credential for the Anthropic provider (`SKILLSPECTOR_PROVIDER=anthropic`). | Required for LLM analysis when `SKILLSPECTOR_PROVIDER=anthropic` |\n| `SKILLSPECTOR_MODEL` | Override the active provider's default model. See the LLM Analysis table for each provider's default. | Optional |\n| `SKILLSPECTOR_MODEL_REGISTRY` | Override the bundled per-provider YAML registry (`src\u002Fskillspector\u002Fproviders\u002F\u003Cprovider>.yaml`) with a custom path. | Optional |\n| `SKILLSPECTOR_LOG_LEVEL` | Log level: `DEBUG`, `INFO`, `WARNING`, `ERROR` (default: `WARNING`). | Optional |\n\n### CLI Options\n\n```bash\nskillspector scan --help\n\nOptions:\n  -f, --format [terminal|json|markdown|sarif]  Output format [default: terminal]\n  -o, --output PATH                            Output file path\n  --no-llm                                     Skip LLM analysis (static only)\n  -V, --verbose                                Show detailed progress\n  --help                                       Show this message and exit\n```\n\n## Development\n\n### Setup\n\nAll `make` targets assume a virtual environment is already created and activated. The Makefile uses **uv** if available, else **pip**.\n\n```bash\n# Clone, create venv, activate, install dev dependencies\ngit clone https:\u002F\u002Fgithub.com\u002FNVIDIA\u002Fskillspector.git\ncd skillspector\nuv venv .venv && source .venv\u002Fbin\u002Factivate\n# or: python3 -m venv .venv && source .venv\u002Fbin\u002Factivate\nmake install-dev\n\n# Run tests\nmake test\n\n# Run tests with coverage\nmake test-cov\n\n# Run linting\nmake lint\n\n# Format code\nmake format\n```\n\n## How It Works\n\nSkillSpector uses a two-stage detection pipeline:\n\n### Stage 1: Static Analysis\n- Fast regex-based pattern matching across 11 static analyzers\n- AST-based behavioral analysis detecting dangerous calls (exec, eval, subprocess, etc.)\n- Live vulnerability lookups via OSV.dev for known CVEs in dependencies\n- Scans all files in the skill\n- High recall (catches most issues)\n- Moderate precision (some false positives)\n\n### Stage 2: LLM Semantic Analysis (Optional)\n- Evaluates context and intent\n- Filters false positives\n- Provides human-readable explanations\n- Improves precision to ~87%\n\nThe LLM prompt includes anti-jailbreak protections to prevent malicious skills from manipulating the analysis.\n\n## Live Vulnerability Lookups (SC4)\n\nSC4 uses the [OSV.dev](https:\u002F\u002Fosv.dev) API to check dependencies against the full Open Source Vulnerabilities database — covering tens of thousands of advisories across PyPI and npm.\n\n- **No API key required** — OSV.dev is free and unauthenticated.\n- **Batch queries** — all dependencies are checked in a single HTTP call.\n- **Automatic fallback** — if OSV.dev is unreachable (air-gapped\u002Foffline), a small built-in fallback list is used.\n- **Caching** — results are cached in-memory for 1 hour to avoid redundant API calls during a session.\n\nThe tool requires outbound HTTPS access to `api.osv.dev` for live vulnerability data. When that is not available, findings are limited to the static fallback list.\n\n## Limitations\n\n- **Non-English content**: May miss patterns in other languages\n- **Image-based attacks**: Cannot analyze text in images\n- **Encrypted\u002Fbinary code**: Cannot analyze compiled or encrypted content\n- **Runtime behavior**: Static analysis only, no dynamic execution\n- **Offline SC4**: Without network access to `api.osv.dev`, SC4 uses a small static fallback list\n\n## Research Background\n\nBased on research from \"Agent Skills in the Wild: An Empirical Study of Security Vulnerabilities at Scale\" (Liu et al., 2026):\n\n- **Dataset**: 42,447 skills from major marketplaces\n- **Vulnerable**: 26.1% contain at least one vulnerability\n- **High-severity**: 5.2% show likely malicious intent\n- **Key finding**: Skills with executable scripts are 2.12x more likely to be vulnerable\n\n## Python API Integration\n\n```python\nfrom skillspector import graph\n\n# Invoke the LangGraph workflow\nresult = graph.invoke({\n    \"input_path\": \"\u002Fpath\u002Fto\u002Fskill\",\n    \"output_format\": \"json\",   # terminal, json, markdown, or sarif\n    \"use_llm\": True,           # False for static-only analysis\n})\n\n# Access results\nprint(f\"Risk Score: {result['risk_score']}\u002F100\")\nprint(f\"Severity: {result['risk_severity']}\")\nprint(f\"Recommendation: {result['risk_recommendation']}\")\n\nfor finding in result[\"filtered_findings\"]:\n    print(f\"[{finding['severity']}] {finding['rule_id']}: {finding['message']}\")\n```\n\n## License\n\nApache License 2.0 - see [LICENSE](LICENSE) for details.\n\n## Contributing\n\nContributions are welcome! Please read our contributing guidelines and submit pull requests.\n\n## Support\n\n- **Issues**: [GitHub Issues](https:\u002F\u002Fgithub.com\u002FNVIDIA\u002Fskillspector\u002Fissues)\n",2,"2026-06-11 04:11:22","high_star"]