Skip to main content
SkillSpector is a security scanner for AI agent skills and MCP configuration files. CodeRabbit runs SkillSpector version 2.1.1 to detect vulnerabilities, malicious patterns, and security risks in changed agent configuration files.

​
Files

SkillSpector will run on changed files with the following names:
  • SKILL.md
  • mcp.json
  • mcp-config.json
  • claude_desktop_config.json
  • .cursorrules
  • codex.yaml

​
Configuration

reviews:
  tools:
    skillspector:
      enabled: true

​
Security policy and restrictions

CodeRabbit runs SkillSpector inside the sandbox with LLM analysis disabled. SkillSpector scans each changed file independently with static analysis and does not make LLM or network calls.

​
When we skip SkillSpector

CodeRabbit will skip running SkillSpector when:
  • SkillSpector is disabled in CodeRabbit settings or .coderabbit.yaml.
  • No changed files match the supported file names.

​
Profile behavior

SkillSpector uses the same rules in Chill and Assertive modes.

​
What’s next

Tool catalog

Browse all linters, security analyzers, and CI/CD integrations by category and technology.

Tools reference

Explore detailed specifications and configuration options for CodeRabbit tools.