ML.

Static-analysis

Analyzing SkillSpector: How Do You Check Whether an Agent Skill Is Safe?

SkillSpector is NVIDIA's security scanner for AI agent skills. It vets a skill before install to find prompt injection, data exfiltration, and malicious code. We analyze its structure — a LangGraph map-reduce graph that fans out to 25 analyzers (static patterns, AST, taint, YARA, MCP, LLM semantics) and reduces them to a single risk score — against Superpowers and ponytail, which inject skills.

CodeGraph Architecture Analysis: How Is the Code Intelligence Layer Beneath Coding Agents Built?

CodeGraph is a TypeScript tool that uses tree-sitter to parse source code, builds a local SQLite knowledge graph of symbols, edges, and files (with FTS5), and exposes that graph via an MCP server to coding agents like Claude Code, Cursor, Codex, and Hermes Agent. Instead of burning tokens navigating a codebase with grep/Read calls, agents get answers from a single codegraph_explore invocation. This post analyzes the architecture that makes that possible.