NVIDIA Verified Agent Skills: SkillSpector and Skill Cards (2026)

NVIDIA shipped Verified Agent Skills on May 22 — a governance framework for the AI agent skill ecosystem that has been accumulating malicious payloads at scale. Three months ago, Snyk’s ToxicSkills study scanned 3,984 skills on ClawHub and found critical security issues in 13.4% of them, 36% with prompt injection, and 76 confirmed credential-stealing or backdoor payloads. The skills catalog grew 10x in volume in weeks. The vetting didn’t. NVIDIA’s framework — SkillSpector, skill cards, cryptographic signing — is the first structural answer to a problem the agentic AI community has been ignoring.

The Agent Skill Supply Chain Is Actively Compromised

Agent skills are not npm packages. They are closer to shell scripts with elevated privileges. When a malicious skill is loaded into Claude Code, Cursor, or Codex, it runs with the full permissions of that agent — reading your codebase, accessing environment variables, making API calls. There is no sandbox. A compromised skill is a compromised development environment.

That is the context for NVIDIA’s move. The agent skill ecosystem exploded from under 50 new skills per day to over 500 per day within weeks in early 2026. ClawHub, the dominant registry, had no systematic vetting. Snyk’s audit found 1,467 malicious payloads across 3,984 skills — trojans, cryptominers, AMOS stealer, and credential harvesters. Eight of those skills were still publicly available when the report was published.

This is the npm supply chain moment for agentic AI, and it is already past the “theoretical risk” stage.

SkillSpector: Scan Before You Install

SkillSpector is NVIDIA’s open-source security scanner for agent skills. It checks 64 vulnerability patterns across 16 categories, split into conventional software risks and agent-specific risks.

The conventional checks are familiar: vulnerable dependencies (queried against OSV.dev in real time), suspicious scripts, dangerous code patterns, and credential access paths. The agent-specific checks are what matters here: hidden instructions, prompt injection, trigger abuse, excessive agency, tool poisoning, purpose-access mismatches, and memory poisoning. These are the attack vectors that standard static analysis tools miss entirely.

SkillSpector runs two stages: fast static analysis first, optional LLM semantic evaluation second for subtle behavioral threats. Output formats include terminal, JSON, Markdown, and SARIF for CI pipeline integration.

# Install SkillSpector
pip install skillspector

# Scan a local skill directory
skillspector scan ./my-skill/

# Scan from GitHub
skillspector scan https://github.com/someone/their-skill

# Output SARIF for CI
skillspector scan ./my-skill/ --format sarif > results.sarif

Skill Cards: What You Are Actually Installing

Every skill in NVIDIA’s verified catalog ships with a skill card: a machine-readable YAML/JSON document that spells out who built the skill, what license it carries, which external APIs it calls, what its known limitations are, and what the risk mitigations look like. SkillSpector scan results and the signing certificate reference are included.

Skill cards enable automated policy enforcement. An enterprise team can write a policy that rejects any skill calling an external API not on an approved list, or that requires a clean SkillSpector scan for any skill requesting filesystem access. This is the governance layer that ClawHub does not have.

Skills are cryptographically signed using the OpenSSF Model Signing standard, with the signature covering every file in the skill directory. Verification is two commands:

# Download NVIDIA root certificate
curl -O https://developer.nvidia.com/agent-skills/nv-agent-root-cert.pem

# Verify a skill's signature
model_signing verify --cert nv-agent-root-cert.pem ./skill-directory/

Using the Verified Catalog Now

Installation is handled through npx with no manual cloning required. NVIDIA’s first published skill is cuOpt — the numerical optimization and route-planning API — with more added through a daily automated sync pipeline.

# Browse the catalog
npx skills add nvidia/skills --list

# Install a specific skill
npx skills add nvidia/skills --skill cuopt-numerical-optimization-api-python

# Install into multiple agents at once
npx skills add nvidia/skills --skill cuopt-numerical-optimization-api-python   --agent claude-code --agent cursor --agent codex

The full catalog lives at github.com/NVIDIA/skills. It is sparse today, but the pipeline is in place.

What Developers Should Do Right Now

NVIDIA’s framework is a signal, not a complete solution. ClawHub still has thousands of unverified skills. The ecosystem has not adopted these standards broadly yet. OWASP’s Top 10 for Agentic Applications maps directly to what SkillSpector catches — ASI01 (agent goal hijacking), ASI04 (credential exposure), ASI07+ (skill ecosystem attacks) — but recognition in a framework does not protect running agents.

1. Run SkillSpector on every skill in your current setup. If you have installed skills from ClawHub or any unverified registry, scan them now. Use the SARIF output to integrate into CI so new installs are checked automatically.
2. Prefer the NVIDIA verified catalog when a skill exists there. The pipeline is not infallible, but it is materially better than no vetting.
3. Read skill cards before installing anything with external API access. If a skill calls services you did not expect, that is the signal to look harder before it runs with your agent’s credentials.

The supply chain problem for agent skills was predictable — the same trajectory as npm, pip, and RubyGems before them. NVIDIA is the first major infrastructure vendor to respond with tooling rather than warnings. That is worth paying attention to, even if the catalog is thin for now.