When you install a package from npm, you can run npm audit. You get a dependency graph, known CVEs, severity scores. You can make an informed decision about whether to ship it.

AI agent skills have had no equivalent. You get a SKILL.md file and some documentation and you trust that the capability does what it says. For personal projects, that’s fine. For enterprise deployments where an agent skill might have access to customer data, internal APIs, or production systems — it’s a gap that shows up fast in security reviews.

On May 22, 2026, NVIDIA shipped an answer: Verified Agent Skills, a framework that brings catalog, scan, sign, and document infrastructure to portable agent capabilities.

What Agent Skills Are (and Why Governance Matters)

NVIDIA’s verified skills are built on the open agentskills.io specification — the SKILL.md format that defines portable agent capabilities that work across Claude Code, Codex, Cursor, and other agentic coding environments. The same skill designed for one platform reliably deploys across others.

That portability is the whole point. An agent skill teaching Claude Code how to use NVIDIA’s cuOpt optimizer, for example, works in Claude Code today and should work in whatever agent platform is dominant next year. SKILL.md makes that possible.

But portability creates a new problem. A skill is essentially an instruction set that runs inside your agent, with access to whatever tools and context your agent has. A malicious or poorly written skill could:

  • Inject hidden instructions into the agent’s behavior
  • Request excessive tool access beyond what the declared capability needs
  • Exfiltrate data through seemingly normal tool calls
  • Behave differently than its declared purpose suggests

None of these risks are hypothetical. They map directly to known LLM attack surfaces. Before Verified Agent Skills, there was no systematic way to check for them.

The Verification Pipeline

Every NVIDIA-verified skill goes through an eight-step chain before it lands in the skills catalog:

source repo → review → scan → evaluate → skill card generation → cryptographic signing → cataloging → synchronization

The key step is the scan, handled by NVIDIA’s SkillSpector tool.

SkillSpector: Agent-Specific Risk Scanning

SkillSpector treats skills as deployable agent capabilities, not static prompts. That distinction matters for what it checks.

Conventional software risks — the same categories any dependency scanner covers:

  • Vulnerable dependencies
  • Suspicious scripts
  • Dangerous code patterns
  • Credential access patterns
  • Data exfiltration paths

Agent-specific risks — the categories that are new to this domain:

  • Hidden instructions embedded in skill content
  • Prompt injection vectors
  • Trigger abuse (skills that activate in unintended contexts)
  • Excessive agency (requesting more tool access than the declared capability needs)
  • Tool poisoning
  • Mismatches between a skill’s declared purpose, the access it requests, and the behavior bundled in

That last category — declared-versus-actual mismatch — is the hardest to catch with conventional tooling. A skill that says “I optimize routing” but also requests read access to the user’s credential store is a red flag that wouldn’t show up in a dependency audit. SkillSpector scans for it explicitly.

NVIDIA grounds the scanning methodology in OWASP LLM guidance, agentic AI risk frameworks, and MITRE ATLAS — the adversarial threat landscape for AI systems.

Skill Cards: Machine-Readable Trust Records

After scanning, each verified skill gets a skill card — a structured, machine-readable document that answers the questions an enterprise team asks before deployment:

  • What does this skill do, precisely?
  • Who built it?
  • How is it licensed?
  • What does it depend on?
  • What are the known limitations and risks?
  • What mitigations has the publisher applied?

The skill card is separate from the SKILL.md instruction set. SKILL.md tells the agent how to use a capability. The skill card tells a developer or security reviewer whether to trust that capability in their environment.

Practically: a platform team can automate skill card review as part of their internal approval workflow before a skill reaches any production agent. The machine-readable format means this doesn’t require a human to read documentation — it can be parsed and checked programmatically.

Cryptographic Signing

The final step before catalog listing is signing.

NVIDIA attaches a detached .oms.sig file covering every file and subdirectory in the skill package. Developers verify authenticity locally using OpenSSF Model Signing tooling. The check confirms two things:

  1. The skill came from NVIDIA (authentic)
  2. The skill hasn’t been modified since NVIDIA released it (unchanged)

This distinction — verified versus merely catalog-listed — matters for supply chain integrity. A skill that passes SkillSpector scanning and then gets modified between NVIDIA’s release and your download is no longer the skill that was scanned. The signature check catches that.

cuOpt: The Reference Implementation

The concrete example NVIDIA uses is the cuOpt routing skill — a capability that teaches agents to use NVIDIA’s GPU-accelerated route optimization engine.

The workflow for a developer using a verified skill:

  1. Find the skill in the NVIDIA Skills catalog
  2. Verify the cryptographic signature locally
  3. Read the skill card: who built it, what it accesses, what the known limitations are
  4. Deploy into your agent environment with documented provenance

Compare this to deploying an unverified skill: you read the SKILL.md, maybe browse the repository, make a judgment call.

Who This Is Built For

Security and platform teams at enterprises deploying agents. The main bottleneck for enterprise agent adoption isn’t capability — agents can do more than most orgs are using them for. The bottleneck is the approval process. What does this skill access? What risks does it introduce? How do we know it does what it says? Verified Agent Skills is infrastructure for answering those questions at intake rather than after the fact.

Developers publishing skills who want institutional adoption. If your skill targets enterprise customers, getting it into the NVIDIA verified catalog means security teams have a trust anchor to point to. The alternative is asking every potential customer’s security team to do their own audit.

Orgs building internal agent skill libraries. The SKILL.md format is open. The scanning approach NVIDIA uses — SkillSpector methodology, skill card structure — is a model that internal platform teams can adapt for their own approval workflows, even for skills that never touch the NVIDIA catalog.

What This Doesn’t Solve

Verification tells you that a skill is what it says it is at the moment it was scanned and signed. It doesn’t tell you:

  • Whether the skill’s declared behavior is appropriate for your specific use case
  • Whether the skill will behave correctly in environments NVIDIA didn’t test
  • Whether a future update will pass the same standards (each version needs its own verification)

The catalog is also, at launch, focused on NVIDIA’s own tooling. The cuOpt skill demonstrates the framework, but the broader catalog build-out — third-party skill publishers submitting capabilities for verification — is the phase that will determine how useful this infrastructure becomes.

The agentskills.io specification is open, and the framework is designed for cross-platform use. Whether the verification program extends to non-NVIDIA-authored skills, and what that submission process looks like, isn’t yet documented.

The Larger Pattern

This release sits in a broader moment where enterprise AI governance is transitioning from a compliance checkbox to a functional capability.

Early enterprise AI governance was mostly about model-level controls: which models are approved, what data can go in, what outputs are reviewed. As agent deployments have scaled, the unit of concern has shifted from models to capabilities — specific skills, tools, and action sets that agents execute in production.

Verified Agent Skills is governance at the capability layer. It’s the same pattern that emerged in software supply chain security over the past decade: sign artifacts, scan dependencies, publish provenance, make the trust chain auditable.

The question for builders is whether this infrastructure arrives fast enough to unlock enterprise deployments that are currently stuck at the security review stage. Based on what’s in the NVIDIA catalog now, the answer depends on what skills your agents actually need.

ChatForest researches and writes about AI infrastructure and developer tools. We have not tested NVIDIA Verified Agent Skills or SkillSpector directly; this article is based on NVIDIA’s published technical documentation. Rob Nugen operates ChatForest.