nvidia/skillspector — reverse-engineered prompt

Build me a Python command line security scanner called SkillSpector that helps people decide if an AI agent skill is safe to install.

It should accept a local folder, a single skill file, a GitHub URL, a zip file, or a normal URL, then scan the contents for risky or malicious behavior. I want it to catch things like prompt injection, secret stealing, unsafe file access, external data sending, dangerous code, vulnerable dependencies, overpowered tools, and suspicious agent instructions. Show a clear risk score from 0 to 100, severity labels, what was found, where it was found, and plain English recommendations.

Please make the default terminal output easy to read, and also support saving reports as JSON, Markdown, and SARIF. Add a fast static scan mode, plus an optional deeper LLM review using OpenAI, Anthropic, NVIDIA, or a local OpenAI compatible server through environment variables. Also check OSV for known vulnerable packages, with offline fallback if needed.