NVIDIA released Verified Agent Skills on May 22, a framework that adds scanning, cryptographic signing, and structured documentation to AI agent capabilities before they reach enterprise workflows. The NVIDIA technical blog post describes the system as extending trust from runtime guardrails to the capability layer itself.
The framework targets a specific problem: agent skills, the portable instruction sets that teach agents how to use tools and APIs, can introduce vulnerabilities at scale. As organizations adopt agents across workflows, the skills those agents consume become a supply chain attack surface.
How Verification Works
Every verified skill in the NVIDIA/skills GitHub repository passes through a multi-stage pipeline, according to NVIDIA’s blog. Skills are cataloged and synchronized daily by the product team that owns them, scanned for risks before publication, signed with a detached skill.oms.sig file, and documented with a skill card.
The skill card is a machine-readable trust record covering what the skill does, who built it, licensing terms, dependencies, and known technical limitations with mitigations. NVIDIA positions the skill card as the central trust artifact for both developers and enterprise teams evaluating compatibility and risk before deployment.
SkillSpector: Software and Agent-Specific Risk Scanning
Before a skill reaches the catalog, NVIDIA runs it through SkillSpector, an open-source scanning tool. According to the NVIDIA blog, SkillSpector checks conventional software risks: vulnerable dependencies, suspicious scripts, dangerous code patterns, credential access, and data exfiltration paths.
It also checks agent-specific risks that static analysis alone would miss: hidden instructions, prompt injection, trigger abuse, excessive agency, tool poisoning, and mismatches between a skill’s declared purpose and its actual behavior. As NVIDIA put it: “A skill may look harmless at the file level while steering an agent toward unsafe behavior, requesting broader access than its purpose requires, or describing one task while bundled artifacts enable another.”
Scanning coverage is grounded in OWASP guidance for LLM applications, OWASP agentic AI risks, and MITRE ATLAS.
Cryptographic Signing for Provenance
NVIDIA is publicly experimenting with cryptographic signing as part of a broader validation roadmap. The signature covers every file and subdirectory in the skill directory, according to the technical blog, allowing developers to verify that a downloaded skill is authentic and unchanged after publication.
The goal, per NVIDIA, is “verifiable integrity rather than relying only on catalog membership or publisher identity,” as Metaverse Post reported.
Built on Open Standards
Verified skills build on the agentskills.io open skills specification. The same SKILL.md format that works in one AI coding agent is designed to work across Claude Code, Codex, and Cursor. NVIDIA described this as preserving “the openness and portability of SKILL.md-based skills while embedding the chain-of-trust layers developers can expect.”
NVIDIA said evaluation will become an additional layer in the pipeline, introducing standardized quality metrics: trigger accuracy, task completion rate, and token efficiency measured against a common harness.
Governance Before Runtime
The framework slots into NVIDIA’s existing agent governance stack. NeMo Guardrails handles runtime policy enforcement. OpenShell and NemoClaw provide sandboxed execution and access controls. Verified Agent Skills extends governance to what enters the workflow in the first place, treating skills as a supply chain that needs the same verification infrastructure that container images and software packages received in previous platform cycles.