> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coderabbit.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# SkillSpector

> CodeRabbit uses SkillSpector to scan AI agent skill and MCP configuration files for security risks.

[SkillSpector](https://github.com/nvidia/skillspector) is a security scanner for AI agent skills and MCP configuration files. CodeRabbit runs SkillSpector version 2.1.1 to detect vulnerabilities, malicious patterns, and security risks in changed agent configuration files.

## Files

SkillSpector will run on changed files with the following names:

* `SKILL.md`
* `mcp.json`
* `mcp-config.json`
* `claude_desktop_config.json`
* `.cursorrules`
* `codex.yaml`

## Configuration

<Tabs>
  <Tab title="Using configuration file">
    ```yaml theme={null}
    reviews:
      tools:
        skillspector:
          enabled: true
    ```
  </Tab>

  <Tab title="Using web interface">
    Enable or disable SkillSpector from **Reviews → Tools → SkillSpector** in CodeRabbit's organization or repository settings page.
  </Tab>
</Tabs>

## Security policy and restrictions

CodeRabbit runs SkillSpector inside the sandbox with LLM analysis disabled. SkillSpector scans each changed file independently with static analysis and does not make LLM or network calls.

## When we skip SkillSpector

CodeRabbit will skip running SkillSpector when:

* SkillSpector is disabled in CodeRabbit settings or `.coderabbit.yaml`.
* No changed files match the supported file names.

## Profile behavior

SkillSpector uses the same rules in Chill and Assertive modes.

## What's next

<CardGroup cols={1}>
  <Card title="Tool catalog" href="/tools/list" icon="list" horizontal>
    Browse all linters, security analyzers, and CI/CD integrations by category and technology.
  </Card>

  <Card title="Tools reference" href="/tools/reference" icon="wrench" horizontal>
    Explore detailed specifications and configuration options for CodeRabbit tools.
  </Card>
</CardGroup>
