NVIDIA Verified Agent Skills: Scan, Sign, Deploy Agents Safely

NVIDIA Publishes Verified Agent Skills with Scanning and Cryptographic Signing

NVIDIA has launched a catalog of agent skills that embed four layers of trust: cataloging, security scanning, cryptographic signing, and machine-readable documentation (skill cards). Skills published in the NVIDIA/skills GitHub repo are scanned daily for software and agent-native risks before publication, signed with a detached signature that can be verified post-download, and paired with a skill card documenting ownership, dependencies, licensing, and verification status.

The scanning step is the operational lever. NVIDIA runs each skill through SkillSpector, which checks conventional software risks (vulnerable dependencies, suspicious scripts, credential access) and agent-specific risks (hidden instructions, prompt injection, trigger abuse, excessive agency, tool poisoning). The intent layer matters: a skill may look safe at the file level while steering an agent toward unsafe behavior or requesting broader access than its stated purpose requires.

Cryptographic signing covers every file and subdirectory in the skill, letting developers verify that a downloaded skill is authentic and unchanged. NVIDIA is publicly experimenting with OpenSSF Model Signing (OMS) to make verification concrete and repeatable across environments. Developers can verify a signed skill locally by downloading the NVIDIA Agentic Capabilities root certificate and running the model_signing CLI.

The skill card template, also released openly, is where trust metadata becomes actionable. A developer can review whether a skill is compatible with a target agent, understand dependencies pre-deployment, and see known risks and validation status without manual auditing per install. Enterprise teams can use the same card to decide whether to allow broader skill deployment.

Agent Governance Moves from Runtime to Capability Layer

NVIDIA already embeds trust in agent systems through NeMo Guardrails (control, privacy, policy), OpenShell (sandboxed execution), and NemoClaw (policy enforcement around sensitive actions). Those tools govern how agents run. Verified skills extend that governance to what agents can do.

This matters because skills are reused and deployed in real workflows, not treated as opaque bundles. Open models, Model Context Protocol (MCP)-connected tools, and portable skills make agents easier to extend but harder to audit at scale. A SKILL.md-based capability that works in Claude Code, Codex, and Cursor needs to carry its own trust signal, not rely on registry association or implied provenance.

The constraint is real: verification is a framework, not execution-time enforcement. A signed skill with a clean scan is still a skill an agent can misuse. The layers reduce supply-chain risk and help teams make informed deployment decisions, but they do not prevent runtime misbehavior.

How to Use Verified Skills in Your Agent Workflows

If you are deploying agents in production, verified skills offer three concrete wins. First, you can audit the source and check whether it passed security scans before download. Second, you can verify the signature locally to confirm the skill has not been modified after publication. Third, you can machine-read the skill card to understand ownership, dependencies, license, and known risks without opening the file.

Start with the NVIDIA cuOpt verified skill as a reference: clone the skills repo, verify the signature using model_signing CLI, and open SKILLCARD.yaml to see the metadata. Use the same verification pipeline in your own deployment. The skill card template and skill card generator are open-source, so you can generate and human-verify required fields for custom skills.

Over time, NVIDIA plans to add standardized quality metrics (trigger accuracy, task completion rate, token efficiency) measured against a common harness. For now, verified means cataloged, scanned, signed, and documented. Trust the signal, but verify locally.