NVIDIA SkillSpector v2.2.3 · static / --no-llm

OrchestKit — Agent-Skill Security Assessment

Ran NVIDIA's malware/vulnerability scanner against every shipped component, then fanned out an 11-agent swarm to adversarially triage every finding. Flip the switch to see the scanner's raw verdict collapse under verification.

149 components 112 skills + 37 agents 555 raw findings 64 vuln patterns hooks scanned separately
SkillSpector says

Do-not-install
CRITICAL band
True positives
Findings in docs

How 555 findings become 0 threats

the documentation false-positive collapse
555
raw findings flagged by the scanner
488
live in .md docs / examples (88%) — never executed
0
genuine vulnerabilities after swarm verification

149-component risk map

click any cell — recolours on toggle
Pick a component
Each cell is one skill or agent. Colour = SkillSpector band (RAW) or triage verdict (TRIAGE).

Findings by vulnerability category

bar = raw count · tag = verified false-positive rate

The findings that looked scary

every CRITICAL/HIGH real-code hit — read end-to-end, all refuted

Hall of mirrors — the defense flagged as the threat

OrchestKit's strongest-security components scored worst

Is SkillSpector right about anything structural?

where a static scanner could have a real point

What's actually worth doing

0 security fixes required · 2 low-severity hygiene · the rest cosmetic