SkillSpector — agentic threat model
SkillSpector is a security-focused scanning tool with low inherent agentic autonomy, but its role in vetting untrusted agent skills makes it a critical target for bypasses, parser exploits, and prompt injection during its LLM-based semantic evaluation phase.
OWASP AIVSS score rationale
| Autonomy of Action | 0.10 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Uses an optional LLM-based semantic evaluation stage. Threats include prompt injection embedded within scanned skills designed to manipulate the evaluation output, or adversarial inputs causing the LLM to misclassify malicious skills as safe.
Ingests external data from Git repositories, URLs, zip files, and queries OSV.dev. Threats include data poisoning of the OSV.dev feed, zip bombs, or path traversal vulnerabilities when extracting and parsing untrusted skill packages.
Orchestrates static analysis and LLM evaluation. Threats include insecure integration of parsing tools or YARA engines, and vulnerabilities within the orchestration framework that could be exploited by malformed skill configurations.
Not certain from the listing — the deployment environment is not specified, but as an open-source CLI/scanner tool, running it unsandboxed in developer environments or CI/CD pipelines poses risks of host compromise if a scanned skill triggers code execution during analysis.
Acts as an evaluation and observability tool itself, checking 68 vulnerability patterns. Threats include evaluation gaming where malicious skills are obfuscated to bypass the static and semantic rules, and blind spots in the signature database.
Not certain from the listing — no explicit authentication, authorization, or compliance certifications are mentioned for the tool itself, though it helps users enforce security policies like MCP least privilege.
Designed to vet skills for agent environments like Claude Code and Gemini CLI. A failure or false negative in SkillSpector directly leads to the introduction of compromised or rogue skills into the broader agent ecosystem, causing cascading trust failures.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.