NVIDIA SkillSpector: a Quarter of Agent Skills Are Vulnerable
NVIDIA is trending on GitHub today with SkillSpector, a security scanner that answers one question: is this skill safe to install? Point it at a repo, URL, zip or directory and it runs 64 vulnerability patterns across 16 categories — prompt injection, data exfiltration, privilege escalation — in a two-stage pipeline: fast static analysis, then an optional LLM-based semantic pass. Live CVE lookups via OSV.dev, risk scores from 0 to 100, output in terminal, JSON, Markdown or SARIF so it drops straight into CI.
The research behind it is the actual headline. The team analyzed 42,447 skills from major marketplaces and found 26.1% contain vulnerabilities and 5.2% show likely malicious intent. One in four skills you might install has a hole in it; one in twenty was probably built to hurt you. The skills ecosystem is barely a year old and it already has the malware density of a 2010s browser-extension store.
The timing writes its own story. Two days ago Miasma showed credentials being stolen the moment a coding agent opened a poisoned repo. Skills are an even softer target — they are instructions you explicitly hand to the agent, with marketplace-scale distribution. A scanner from NVIDIA is the predictable institutional response, and a useful one.
But before you relax, read POISE, an attack paper published this week: it shows current skill scanners false-flag 74.6% of clean skills while letting carefully positioned malicious payloads through at an 89.3% success rate. The scanners-vs-injectors arms race has officially started. SkillSpector is the first serious move on the defense side.
Repo: https://github.com/NVIDIA/SkillSpector
← Back to all articles
The research behind it is the actual headline. The team analyzed 42,447 skills from major marketplaces and found 26.1% contain vulnerabilities and 5.2% show likely malicious intent. One in four skills you might install has a hole in it; one in twenty was probably built to hurt you. The skills ecosystem is barely a year old and it already has the malware density of a 2010s browser-extension store.
The timing writes its own story. Two days ago Miasma showed credentials being stolen the moment a coding agent opened a poisoned repo. Skills are an even softer target — they are instructions you explicitly hand to the agent, with marketplace-scale distribution. A scanner from NVIDIA is the predictable institutional response, and a useful one.
But before you relax, read POISE, an attack paper published this week: it shows current skill scanners false-flag 74.6% of clean skills while letting carefully positioned malicious payloads through at an 89.3% success rate. The scanners-vs-injectors arms race has officially started. SkillSpector is the first serious move on the defense side.
Repo: https://github.com/NVIDIA/SkillSpector
Comments