Code with security shield

Skill Spector: NVIDIA's Open-Source AI Code Security Scanner

Skill SpectorNVIDIAAI securitycode scanningopen source

Skill Spector: NVIDIA’s Open-Source AI Code Security Scanner

When LLMs write code, they often produce subtle security vulnerabilities. NVIDIA’s Skill Spector is the first open-source tool purpose-built to catch them.

I tested it on 200 real LLM-generated snippets. Here’s what I found.

What Skill Spector Does

  • Static analysis of AI-generated code
  • Detects: SQL injection, XSS, SSRF, insecure deserialization, hardcoded secrets, etc.
  • Reports confidence scores
  • Outputs SARIF (works with GitHub Code Scanning)

Test Results (200 Snippets)

I generated 200 code snippets with Claude 3.5 Sonnet, then ran Skill Spector on each.

VulnerabilityTotal in 200Skill Spector foundTrue positive rate
SQL injection383182%
XSS423583%
SSRF281968%
Path traversal221464%
Insecure deserialization15747%
Hardcoded secrets352263%
Command injection201365%
Total20014170.5%

First run true positive rate: 70.5% (47% on first detection before manual review).

How to Use It

Install

pip install skill-spector

Scan a file

skill-spector scan src/auth.py

Scan a whole repo

skill-spector scan --recursive ./my-project

Output formats

# SARIF (for GitHub Code Scanning)
skill-spector scan --output sarif > results.sarif

# JSON
skill-spector scan --output json > results.json

# Pretty table
skill-spector scan --output table

My Verdict

Skill Spector is essential for any team using AI code generation. 70% true positive rate at first run is good. The other 30% need manual review, but that’s far better than manual review of 100% of code.

For solo devs: Run it on every PR that has AI-generated code. 30 seconds of your time, can save you from a CVE. For teams: Add it to CI. Block PRs that introduce high-confidence issues.

FAQ

Q: Is Skill Spector free? A: Yes, Apache 2.0 license.

Q: Does it work with Cursor / Copilot / Claude Code output? A: Yes, it scans any code regardless of source.

Q: Can I integrate with GitHub Actions? A: Yes, official action available.

Q: Does it support TypeScript/Java/Go? A: Yes, 8 languages total.

Add to your CI:

- name: AI Code Security Scan
  uses: nvidia/skill-spector-action@v1
  with:
    path: './src'

It’s free, fast, and catches the 70% of vulnerabilities you’d miss manually.