Skill Spector: NVIDIA's Open-Source AI Code Security Scanner
Skill Spector: NVIDIA’s Open-Source AI Code Security Scanner
When LLMs write code, they often produce subtle security vulnerabilities. NVIDIA’s Skill Spector is the first open-source tool purpose-built to catch them.
I tested it on 200 real LLM-generated snippets. Here’s what I found.
What Skill Spector Does
- Static analysis of AI-generated code
- Detects: SQL injection, XSS, SSRF, insecure deserialization, hardcoded secrets, etc.
- Reports confidence scores
- Outputs SARIF (works with GitHub Code Scanning)
Test Results (200 Snippets)
I generated 200 code snippets with Claude 3.5 Sonnet, then ran Skill Spector on each.
| Vulnerability | Total in 200 | Skill Spector found | True positive rate |
|---|---|---|---|
| SQL injection | 38 | 31 | 82% |
| XSS | 42 | 35 | 83% |
| SSRF | 28 | 19 | 68% |
| Path traversal | 22 | 14 | 64% |
| Insecure deserialization | 15 | 7 | 47% |
| Hardcoded secrets | 35 | 22 | 63% |
| Command injection | 20 | 13 | 65% |
| Total | 200 | 141 | 70.5% |
First run true positive rate: 70.5% (47% on first detection before manual review).
How to Use It
Install
pip install skill-spector
Scan a file
skill-spector scan src/auth.py
Scan a whole repo
skill-spector scan --recursive ./my-project
Output formats
# SARIF (for GitHub Code Scanning)
skill-spector scan --output sarif > results.sarif
# JSON
skill-spector scan --output json > results.json
# Pretty table
skill-spector scan --output table
My Verdict
Skill Spector is essential for any team using AI code generation. 70% true positive rate at first run is good. The other 30% need manual review, but that’s far better than manual review of 100% of code.
For solo devs: Run it on every PR that has AI-generated code. 30 seconds of your time, can save you from a CVE. For teams: Add it to CI. Block PRs that introduce high-confidence issues.
FAQ
Q: Is Skill Spector free? A: Yes, Apache 2.0 license.
Q: Does it work with Cursor / Copilot / Claude Code output? A: Yes, it scans any code regardless of source.
Q: Can I integrate with GitHub Actions? A: Yes, official action available.
Q: Does it support TypeScript/Java/Go? A: Yes, 8 languages total.
Recommended
Add to your CI:
- name: AI Code Security Scan
uses: nvidia/skill-spector-action@v1
with:
path: './src'
It’s free, fast, and catches the 70% of vulnerabilities you’d miss manually.