NVIDIA's Verified Agent Skills add risk scanning and trust metadata for AI agents

NVIDIA announced NVIDIA-Verified Agent Skills, a new framework designed to make AI agent capabilities easier to trust, distribute, and verify across enterprise environments. The company describes agent skills as portable instruction sets that guide AI systems in the correct use of CUDA-X libraries, AI Blueprints, and related platform tools. Skills included in the NVIDIA/skills GitHub repository are cataloged and synchronized daily by the product team responsible for them, reviewed for software and agent-related risks before release, signed with a detached skill.oms.sig file that can be checked after download, and accompanied by a skill card that records ownership, dependencies, limitations, and verification status. NVIDIA said evaluation will become an additional layer in the verification process, introducing standardized quality measures such as trigger accuracy, task completion rate, and token efficiency.

According to NVIDIA, a verified skill begins in a source repository managed by a product team and then moves through a publication pipeline that may include human review, automated policy enforcement, scanning, evaluation, skill card generation, signing, cataloging, and synchronization. The publication pipeline includes scanning through SkillSpector, which checks conventional software risks such as vulnerable dependencies, suspicious scripts, dangerous code patterns, credential exposure, and possible data exfiltration paths, as well as agent-specific concerns such as hidden instructions, prompt injection, tool poisoning, and excessive permissions. NVIDIA is also experimenting with cryptographic signing to strengthen provenance, covering the skill directory contents so users can confirm authenticity and integrity. The skill card serves as the central trust record for both developers and enterprise teams, offering a structured way to review compatibility, dependencies, known risks, and verification status.