Agent skills are increasingly distributed and installed with implicit trust, yet empirical studies show a substantial fraction contain exploitable bugs or malicious intent. SkillSpector addresses this gap by shifting security checks left: it lets maintainers and integrators decide “Is this skill safe to install?” before granting it runtime privileges.
What Sets It Apart
- Two-stage analysis that balances scale and context: a fast static pipeline (regex + AST detectors) catches high-recall code patterns (exec, eval, subprocess, taint flows), while an optional LLM semantic stage reduces false positives and produces human-readable explanations. This lets teams run bulk scans quickly and deep-dive only when needed.
- Domain-specific patterns and live vulnerability signals: the tool encodes 64 vulnerability patterns across 16 categories (prompt injection, data exfiltration, supply-chain checks, MCP/tool poisoning, etc.) and queries OSV.dev for real-time dependency CVE data with offline fallback—useful for both internet-connected CI and air-gapped workflows.
- Security-first outputs and integration targets: produces terminal, JSON, Markdown, and SARIF reports and a 0–100 risk score with severity labels and prescriptive recommendations, making it straightforward to plug into CI gates, pre-install checks, or manual review workflows.
How It Works (brief)
Static analyzers scan files, AST structures, and metadata to surface risky constructs (e.g., exec/eval, dynamic imports, environment harvesting). When enabled, the LLM stage evaluates intent and context, filtering false positives and generating explanations and remediation suggestions. Live OSV lookups enrich supply-chain findings; caching and offline fallbacks are provided for reliability.
Who It's For and Tradeoffs
Great fit if you: maintain or curate marketplaces of agent skills, run CI for agent integrations, or operate automated installers that grant tools elevated privileges—SkillSpector helps prevent credential exfiltration, excessive agency, and runtime privilege escalation. Look elsewhere if you: need dynamic runtime behavioral monitoring (SkillSpector is static + LLM-assisted and does not execute payloads), must analyze non-textual or fully obfuscated binaries, or require language-agnostic analysis for many non-English codebases—coverage and precision degrade on image-only or heavily encoded inputs.
Where It Fits
Positioned as a pre-install security scanner for skill manifests and code (SKILL.md, repos, zips). Compared with general-purpose SAST, SkillSpector targets agent-specific threats (prompt injection, tool poisoning, MCP mismatches) and integrates LLM judgment specifically for agent-intent interpretation rather than generic code quality checks.
Overall, SkillSpector makes a concrete trade: it sacrifices dynamic execution-based verification in favor of fast, explainable, and CI-friendly checks tailored to agent skills—an effective early-warning filter to reduce the chance of installing dangerous or privacy-leaking skills.
