SkillsAgent skills can look harmless while still containing risky instructions, hidden metadata, overbroad permissions, or executable code that does more than the description says. SkillSpector is a security scanner for AI agent skills that helps answer: should this skill be installed?
SkillSpector accepts Git repositories, URLs, zip files, directories, and single files. It runs fast static checks by default and can add optional LLM semantic analysis for issues that require intent comparison.
SkillSpector covers 64 vulnerability patterns across 16 categories, including:
It also supports live vulnerability lookup through OSV.dev for known vulnerable dependencies, with an offline fallback when network access is unavailable.
Create a virtual environment, install the package, and run the scanner from the repository:
If uv is unavailable, use Python’s built-in virtual environment support:
Use terminal output while iterating locally, JSON for automation, Markdown for review packets, and SARIF for CI or code scanning systems.
Static analysis is fast and deterministic. It can catch suspicious strings, dependency risk, dangerous APIs, and declared-permission mismatches.
Semantic analysis uses an LLM to compare what a skill claims with what its code appears to do. This is useful for description-behavior mismatch, vague triggers, and subtle policy issues.
Configure a provider when you want semantic checks:
For static-only review:
Use scan results as a release gate:
The goal is not just a clean report. The goal is a skill whose declared purpose, permissions, code, and documented risks all agree.
