A few weeks ago, I started looking more seriously at AI “skills.”
Not skills in the human sense.
I mean the installable skill packages used by AI coding agents and assistants, the kind of thing you might add to Claude Code, Codex-style workflows, Gemini CLI workflows, or other local agent setups.
At first, they look harmless.
A SKILL.md file.
Maybe a helper script.
Maybe a few references.
Maybe some instructions telling the assistant how to behave.
But the more I looked at them, the more they started to feel less like “just prompts” and more like small software packages.
And software packages need security review.
The uncomfortable part
The risk in an AI skill is not always obvious.
It might not look like malware.
It might not have a scary filename.
It might not even contain a traditional executable payload.
The risk can hide in places that are easy to overlook:
- Markdown instructions
- Prompt injection text
- Helper scripts
- External network calls
- Attempts to access environment variables
- Self-modifying behavior
- Overbroad permissions
- Suspicious dependencies
Traditional security review often asks:
What code will run?
AI skill review also needs to ask:
What behavior is this skill trying to influence?
Those are related, but they are not the same question.
OWASP already lists risks such as prompt injection, sensitive information disclosure, and supply-chain vulnerabilities in its Top 10 for LLM applications.
NVIDIA’s SkillSpector project also highlights why this matters. Its README cites research showing that 26.1% of skills contained vulnerabilities and 5.2% showed likely malicious intent.
That number made me stop and think.
If AI skills are easy to install, easy to share, and sometimes risky, then “just install it and see what happens” is not a review process.
SkillSpector helps answer the first question
NVIDIA SkillSpector is a security scanner for AI agent skills.
It helps answer a simple but important question:
Is this skill safe to install?
It can scan folders, files, zip archives, and repositories. It looks for risky patterns before installation, including suspicious instructions, hidden behavior, risky scripts, and other security concerns.
That is exactly the kind of tool this ecosystem needs.
But when I started using it, I noticed a practical gap.
The scan result was useful, but I wanted something easier to share.
Not everyone wants terminal output.
Not everyone wants raw JSON.
Not every review record should be a screenshot from a shell window.
Sometimes you need a report.
Something structured.
Something readable.
Something you can attach to a ticket, send to a reviewer, or keep as review evidence.
So I built one.
What I built
I built SkillSpector Report, a small open source Python CLI that turns NVIDIA SkillSpector scan output into a local PDF report.
Project: SkillSpector Report on GitHub
It does not replace SkillSpector.
It does not perform independent security analysis.
It simply runs the installed local skillspector CLI, reads SkillSpector JSON output, and turns the result into a polished PDF report.
The generated report includes:
- Report metadata
- Scan mode
- SkillSpector version
- Privacy note
- Risk banner
- Executive summary
- Findings detail
- Scanned components
- Raw SkillSpector JSON appendix
- Legal notice and limitations
The point is not to make scanner output “pretty.”
The point is to make scanner output easier to review, explain, share, and archive.
Why PDF?
Developers often prefer JSON, Markdown, or terminal output.
I understand that.
But security review is not always only for developers.
Sometimes the result needs to go to a manager.
Sometimes it needs to be attached to a governance ticket.
Sometimes it needs to be reviewed by someone who understands risk but does not want to inspect raw JSON.
Sometimes you just want a clean record of what was scanned and what was found.
That is where a PDF report is useful.
A PDF does not make a scanner more accurate.
But it can make the result easier to understand and easier to act on.
And in security, communication matters.
A finding that nobody understands is a finding that may not get fixed.
Clean report vs malicious report
I wanted the tool to handle two very different outcomes clearly.
Clean report
A clean report does not mean “guaranteed safe.”
It means SkillSpector did not report significant issues in that scan.
The report still includes the full structure:
- Metadata
- Executive summary
- Scanned components
- Raw JSON evidence
- Limitations
That matters because even a low-risk result should still be reviewed before trusting a skill.
Security scanners can miss things. A clean result is useful evidence, not a certificate of safety.
Malicious or suspicious report
This is where the report becomes more valuable.
When SkillSpector finds issues, the PDF includes a detailed findings table showing:
- Severity
- Finding category
- File location
- Line number
- Confidence
- Explanation
- Remediation guidance
That makes it easier to answer the questions reviewers actually care about:
What was found?
Where was it found?
How serious is it?
How confident is the scanner?
What should be reviewed next?
That is the difference between raw output and evidence that is easier to review.
Local first by design
I wanted the reporting workflow to stay local.
SkillSpector Report runs the installed local skillspector command and generates the PDF locally.
The report generator itself does not upload scan inputs or generated reports.
By default, it currently runs SkillSpector in static-only mode using --no-llm.
That means LLM semantic analysis is not enabled by default.
This was intentional. For a first review, I prefer a conservative local workflow before adding anything that may involve an external model provider.
There is one important nuance. Depending on the scanned content, dependencies, SkillSpector configuration, and network availability, SkillSpector itself may still perform package vulnerability lookups such as OSV.dev queries.
So the honest version is:
The report generator is local first, but users should still understand what the underlying scanner may do.
Basic usage
After installing NVIDIA SkillSpector separately, SkillSpector Report can generate a local PDF from a skill folder, zip file, package, or repository path.
The full setup instructions and examples are in the GitHub README:
https://github.com/mbahubaishi/skillspector-report
The repository also includes example PDF reports for both clean and malicious scan outcomes.
What this project is not
I think this part matters.
SkillSpector Report is not a magic safety button.
It does not guarantee that a skill is safe.
It does not replace manual review.
It does not replace NVIDIA SkillSpector.
It does not perform independent security analysis.
It does not certify compliance.
It does not prove that malicious behavior is absent.
It is a reporting layer.
A useful one, I hope, but still a reporting layer.
Security scanners can produce false positives and false negatives. A low-risk report should not be treated as a guarantee, and a high-risk report should be reviewed carefully before using the scanned item.
Why I think this matters
AI skills and agent tools are becoming more like software packages.
They can influence behavior.
They can include scripts.
They can reference external resources.
They can shape what an assistant does next.
That means teams will need better ways to review them.
Not just scan them.
Review them.
Explain them.
Archive the decision.
Share the evidence.
Help non-technical people understand the risk.
That is the gap I wanted to explore with this project.
NVIDIA SkillSpector does the security scanning.
SkillSpector Report tries to make the result easier to read, share, and keep.
What’s next
Some ideas I’m considering:
- Publishing to PyPI for easier installation
- Adding batch report generation
- Adding optional HTML report output
- Adding configurable report templates
- Adding summary-only reports
- Creating assistant workflows for Claude Code, Codex, or similar local coding agents
- Adding CI examples for review workflows
The project is still early, but the direction is clear:
AI skill security needs to become easier to review, not just easier to scan.
Project link
The project is open source under the MIT License:
https://github.com/mbahubaishi/skillspector-report
Feedback, issues, and suggestions are welcome.
Top comments (0)