NVIDIA/SkillSpector — reverse-engineered prompt

Build me a Python command line security scanner called SkillSpector that helps people decide if an AI agent skill is safe to install.

It should accept a local folder, a single skill file, a zip file, a URL, or a GitHub repo, then scan it for risky behavior like prompt injection, secret stealing, suspicious network calls, unsafe permissions, dangerous code, vulnerable dependencies, tool abuse, and hidden malicious instructions. Give each scan a clear risk score from 0 to 100, severity labels, and plain English recommendations so a non security person can understand what to do.

Make the default scan fast with static checks, but also allow optional LLM review using OpenAI, Anthropic, NVIDIA, or a local OpenAI compatible server through environment variables. It should export nice terminal output plus JSON, Markdown, and SARIF reports for automation. Include tests, examples, setup instructions, and sensible offline behavior if live vulnerability lookup is unavailable. Look up current docs online if needed.