SkillSpector vs MCP Skills: Security Scanner vs Trust Layer
NVIDIA SkillSpector is an open-source security scanner for AI agent skills. MCP Skills is a pre-install trust layer for MCP servers, AI skills, and packages.
SkillSpector answers: does this skill contain dangerous or malicious behavior? MCP Skills answers: is this project worth installing and depending on? The scanner goes deeper on security findings. The trust layer goes broader across maintenance, publisher credibility, adoption, security posture, documentation, licensing, public score pages, badges, monitoring, and agent-facing API access.
NVIDIA shipping SkillSpector is a category signal. Agent skills are no longer harmless prompt snippets. They are deployable capability bundles: instructions, code, references, assets, dependencies, and sometimes executable scripts that an agent may run with local permissions.
That is exactly why the ecosystem needs more than one layer. A scanner can identify suspicious content inside a skill. A trust score can decide whether the surrounding project is maintained, credibly authored, well documented, legally usable, and safe enough to depend on over time.
The short answer
| Question | Best answer |
|---|---|
| What is SkillSpector? | An open-source command-line scanner from NVIDIA for detecting vulnerabilities, malicious patterns, and security risks in AI agent skills before installation. |
| What is MCP Skills? | A hosted trust layer that scores MCP servers, AI skills, repos, and packages across Alive, Legit, Solid, and Usable dimensions before they reach an agent. |
| Are they competitors? | Adjacent, not substitutes. SkillSpector is a deeper security scanner. MCP Skills is a broader trust scoring and discovery layer. |
| Should teams use both? | Yes. Use SkillSpector to scan the artifact. Use MCP Skills to evaluate the project around the artifact and monitor trust drift over time. |
What SkillSpector does
SkillSpector is built for pre-install security review of agent skills. NVIDIA's documentation says it accepts Git repositories, URLs, zip files, directories, and single files, then runs fast static checks by default with optional LLM semantic analysis for issues that require intent comparison.
The scanner covers 64 vulnerability patterns across 16 categories, including prompt injection, data exfiltration, privilege escalation, supply-chain issues, excessive agency, output handling, system prompt leakage, memory poisoning, tool misuse, rogue-agent behavior, trigger abuse, dangerous code patterns, taint tracking, YARA signatures, MCP least privilege, and MCP tool poisoning.
That is the right kind of depth for artifact review. It looks at the contents of the skill itself: the natural-language instructions, metadata, declared permissions, code, dependencies, and behavior indicators that can turn a harmless-looking skill into an agent supply-chain risk.
What MCP Skills does
MCP Skills scores the project around a skill, server, or package. Instead of asking only whether an artifact contains a detected threat, it asks whether the project is trustworthy enough to install in the first place.
The trust score is built around four dimensions:
- Alive: commit recency, release cadence, and issue responsiveness.
- Legit: author credibility, community adoption, contributor diversity, and download adoption.
- Solid: security posture, dependency health, known vulnerabilities, tool safety, and supply-chain safety.
- Usable: README quality, spec compliance, and license clarity.
For MCP servers and AI skills, MCP Skills activates Skills Mode. Skills Mode adds skill-specific safety checks, spec-compliance scoring, and heavier security weighting because agent tools may touch terminals, files, credentials, networks, and model context.
A scanner tells you whether an artifact looks dangerous. A trust layer tells you whether a project is worth depending on. A skill can pass a security scan and still be abandoned, undocumented, unlicensed, or published by an untrusted account. Those are different failure modes, and they deserve different signals.
SkillSpector vs MCP Skills
| Dimension | SkillSpector | MCP Skills |
|---|---|---|
| Primary purpose | Detect vulnerabilities and malicious patterns in AI agent skills. | Score install trust for MCP servers, AI skills, repos, npm packages, and registry URLs. |
| Main output | Risk report with findings, severity, recommendation, and optional SARIF. | Trust score, tier, dimensions, safety findings, score page, badge, API response, and MCP tool response. |
| Score direction | 0-100 risk score. Higher means more dangerous. | 0-10 trust score. Higher means more trustworthy. |
| Best at | Deep security review of a specific skill artifact. | Pre-install decision support, comparison, discovery, public trust pages, badges, and ongoing monitoring. |
| Security coverage | Broad scanner taxonomy: static patterns, AST, YARA, MCP least privilege, MCP tool poisoning, optional LLM semantic analysis. | Focused safety checks plus OSV, CISA KEV, EPSS, OpenSSF Scorecard, dependency health, CI workflow risk, and trust-tier disqualifiers. |
| Lifecycle fit | Developer or publisher scans before release or install. | Developer, agent, or team checks before install, during discovery, in CI gates, and during ongoing monitoring. |
| Public distribution | Open-source CLI and Python workflow. | Website, REST API, MCP server, public directory, score pages, badges, monitoring, and digest surfaces. |
Should SkillSpector findings contribute to MCP Skills scores?
Yes, but as calibrated evidence rather than a blind score import. SkillSpector is open source, which makes it attractive as an upstream security signal. But its score and the MCP Skills score measure different things. SkillSpector's score increases when risk is found. MCP Skills' score increases when trust evidence is strong.
The right integration is not "copy SkillSpector's score into our score." The right integration is "use SkillSpector findings as additional evidence inside the Solid dimension."
Use critical findings as disqualifier evidence
A confirmed critical SkillSpector finding should be able to contribute to SAFETY_BLOCK or a similar hard gate. Some risks should not be offset by stars, downloads, or a good README.
Use clean scans as confidence, not proof
A clean SkillSpector scan should improve confidence in the Solid dimension, but it should not make a project Verified by itself. Maintenance, author credibility, adoption, license clarity, and documentation still matter.
Prefer report ingestion before hosted execution
The first product step should be SARIF or JSON ingestion: let maintainers attach a SkillSpector report to a score page. Running a Python scanner with optional LLM analysis inside a request path is heavier and should be a later batch-worker problem.
Keep the score explainable
If SkillSpector becomes a factor, score pages should show exactly what happened: scanner version, scan date, finding count, highest severity, artifact scanned, and whether the report was self-submitted or independently generated.
What not to do
Do not make "passed SkillSpector" equal "Verified." A passed scan means no covered threat was detected in that artifact. Verified should continue to mean strong trust across the project: maintained, credible, secure, documented, licensed, sufficiently signaled, and free of disqualifiers.
There are also practical reasons to avoid a rushed direct integration:
- Different scoring semantics: SkillSpector is a risk score; MCP Skills is a trust score.
- Different runtime shape: SkillSpector is Python/LangGraph; MCP Skills is currently a Node/Netlify product surface.
- Different execution cost: static-only scans are one thing; optional LLM semantic evaluation is another.
- Different false-positive profile: deeper scanners can produce findings that need triage before they become product-facing trust penalties.
- License hygiene: SkillSpector is Apache 2.0. That is compatible with many uses, but direct code reuse needs notices and careful attribution.
A practical integration path
If MCP Skills incorporates SkillSpector, the clean path is staged:
- Phase 1: Citation and education. Treat SkillSpector as a recommended deep scanner in the pre-install audit and score-page guidance.
- Phase 2: Report ingestion. Add a field for external scan evidence. Accept SkillSpector JSON or SARIF. Display scanner version, scan date, highest severity, and finding summary.
- Phase 3: Solid-dimension contribution. Map critical/high findings into
tool_safetypenalties and hard disqualifiers. Map a clean recent report into a bounded Solid confidence boost. - Phase 4: Hosted batch scanning. Run SkillSpector or a SkillSpector-inspired analyzer out of band for high-priority repos, not synchronously during a public score request.
- Phase 5: Calibration. Benchmark against a labeled corpus of safe, vulnerable, and malicious skills before changing public tier thresholds.
This keeps MCP Skills honest. It benefits from NVIDIA's scanner work without turning a trust score into a thin wrapper around someone else's risk score.
Which one should you use?
| Use case | Recommended layer |
|---|---|
| You are publishing an agent skill and want to catch malicious-pattern or vulnerability findings before release. | Run SkillSpector. |
| You are deciding whether to install an MCP server, AI skill, or npm package from a registry. | Check MCP Skills first, then run a deeper artifact scan if the tool is high-privilege. |
| You need CI evidence for a security review. | Use SkillSpector's JSON, Markdown, or SARIF output. |
| You need an agent or IDE to make a quick go/no-go install decision. | Use the MCP Skills API or MCP server. |
| You maintain a repo and want public trust proof in your README. | Use an MCP Skills score page and trust badge, and link to any SkillSpector scan report as supporting evidence. |
The bigger shift
NVIDIA's trust pipeline pairs scanning with skill cards and cryptographic signing. That is the right direction: a usable trust story needs content review, clear metadata, and proof that the installed artifact is the reviewed artifact.
MCP Skills sits beside that pipeline as the public decision surface. A developer or agent should be able to ask: who made this, is it maintained, does it have known vulnerabilities, did scanners find risky behavior, does the license make sense, and has the score changed since last week?
That is the trust-layer category. SkillSpector validates that pre-install scanning is real. MCP Skills turns pre-install evidence into a repeatable install decision.
Bottom line: SkillSpector should become an input to trust scoring, not a replacement for trust scoring. Deep scanners and broad trust layers solve different parts of the same agent supply-chain problem.
Frequently asked questions
What is NVIDIA SkillSpector?
SkillSpector is an open-source security scanner for AI agent skills. It scans skill artifacts for vulnerabilities, malicious patterns, and security risks before installation, using static analysis and optional LLM semantic analysis.
How is SkillSpector different from MCP Skills?
SkillSpector is a scanner. MCP Skills is a trust layer. SkillSpector focuses on whether a specific skill artifact contains dangerous behavior. MCP Skills scores the broader project across maintenance, publisher credibility, adoption, security, documentation, licensing, public trust badges, monitoring, and API workflows.
Does SkillSpector replace MCP Skills?
No. SkillSpector can detect issues that MCP Skills should care about, especially in the Solid dimension. But a clean security scan does not answer whether a project is maintained, documented, adopted, credibly authored, or legally usable.
Should MCP Skills add SkillSpector values into its scores?
Yes, as calibrated evidence. Critical and high SkillSpector findings should be considered for tool-safety penalties or hard disqualifiers. Clean SkillSpector reports should improve confidence, but only within bounded limits and only with scanner version, scan date, and artifact provenance visible on the score page.
Is a clean SkillSpector scan enough to install a skill?
No. A clean scan means the scanner did not detect covered threat patterns. Before installing, you should also check publisher identity, maintenance history, dependency health, license clarity, documentation quality, version pinning, and runtime controls.
What is the best pre-install workflow?
Start with a trust score to decide whether the project is worth attention. For high-privilege tools, run a deep artifact scanner such as SkillSpector. Then pin the version, review the manifest, and sandbox the first run if the server needs filesystem, shell, credential, or network access.
Sources
- NVIDIA/SkillSpector GitHub repository
- NVIDIA Skills documentation: Scan Agent Skills Before Installation
- NVIDIA Technical Blog: NVIDIA-Verified Agent Skills Provide Capability Governance for AI Agents
- NVIDIA Skills documentation: A Trust Pipeline for Agent Skills
- MCP Skills trust scoring methodology
- The MCP Pre-Install Audit
- Trail of Bits Is Right About Skill Scanners