NVIDIA SkillSpector v2.2.3 · static / --no-llm
OrchestKit — Agent-Skill Security Assessment
Ran NVIDIA's malware/vulnerability scanner against every shipped component, then fanned out an 11-agent swarm to adversarially triage every finding. Flip the switch to see the scanner's raw verdict collapse under verification.
149 components
112 skills + 37 agents
555 raw findings
64 vuln patterns
hooks scanned separately
SCANNER RAW
AFTER TRIAGE
How 555 findings become 0 threats the documentation false-positive collapse
555
raw findings flagged by the scanner
→
488
live in .md docs / examples (88%) — never executed
→
0
genuine vulnerabilities after swarm verification
149-component risk map click any cell — recolours on toggle
All 149
Skills
Agents
Ships a script (×1.3)
Scanner CRITICAL
Pick a component
Each cell is one skill or agent. Colour = SkillSpector band (RAW) or triage verdict (TRIAGE).
Findings by vulnerability category bar = raw count · tag = verified false-positive rate
The findings that looked scary every CRITICAL/HIGH real-code hit — read end-to-end, all refuted
Hall of mirrors — the defense flagged as the threat OrchestKit's strongest-security components scored worst
Is SkillSpector right about anything structural? where a static scanner could have a real point
What's actually worth doing 0 security fixes required · 2 low-severity hygiene · the rest cosmetic
Built by an 11-agent OrchestKit swarm · SkillSpector run 2026-06-19 , --no-llm static pass ·
verdicts are scoped to the skill+agent surface (hook TypeScript needs its own pass).