Kai Ole Hartwig — Blog
5 min read
By

NVIDIA signs agent skills — supply chain discipline arrives at the AI agent capability layer

23 May 2026. On 19 May (last modified 21 May) NVIDIA introduced the NVIDIA-Verified Agent Skills — portable SKILL.md packages scanned with SkillSpector, signed with OpenSSF Model Signing, and shipped with a machine-readable Skill Card. They run cross-vendor in Claude Code, Codex and Cursor. For the first time a major vendor brings supply chain discipline into the agent capability layer.

Ein schmaler Fächer cremefarbener Skill-Karten liegt leicht links der Bildmitte auf einem warm-dunklen Walnussdesk; jede Karte trägt eine eingeprägte Zirkel-Marke am oberen Rand. Auf der vordersten Karte sitzt ein frisch gesetzter Wachstropfen in tief gesättigtem Oxblutlack — die einzige gesättigte Farbe im Bild — direkt unter einem walnussgriffigen messingfarbenen Petschaft, dessen brüniertem Siegelkopf gerade vom Wachs abgehoben wurde. Links unten liegt ein messingbeschlagenes schmales Katalogbuch offen auf der Walnussoberfläche, cremefarbene Seiten mit drei handschriftlichen Bleistift-Zeilen in unleserlichen Kolonnen-Kürzeln, gehalten von einer Messing-Seitenklammer. Daneben eine kleine dunkle Keramik-Espressotasse im warmen Lichtkegel. Am linken Bildrand wirft eine messingstielige Schreibtischlampe einen engen warmen Lichtkreis über Karten, Siegelgriff und Katalogbuch. Rechts oben im weichen Lichtdunst ruht eine messingfarbene Lupe leicht geneigt auf der Walnussoberfläche, die Linse zur vordersten Karte hin geneigt. Am rechten Bildrand ein weicher goldener Bokeh-Ausblick auf die Mosel-Terrassenhänge in sanftem Abendlicht. Kinematischer Chiaroscuro zwischen warmem Innenraum und hellem Tal-Ausblick.
AI-generated · gpt-image 2.0

What happened

The NVIDIA team around Moshe Abramovitch, Michael Boone, Sayali Kandarkar, Daniel Major and Nir Paz describes an eight-step publication workflow: source repo → review → scan → evaluate → skill card → sign → catalog → sync. The skill is a portable instruction file following the open agentskills.io specification; it is only verified after all eight steps. Scanning is handled by SkillSpector, which checks both classic software risks (vulnerable dependencies, credential paths) and agent-specific ones — prompt injection, tool poisoning, excessive agency, hidden instructions, purpose-versus-behaviour mismatches. The signature is a detached skill.oms.sig following OpenSSF Model Signing (OMS), verifiable with model_signing verify certificate against nv-agent-root-cert.pem. The machine-readable Skill Card describes ownership, licence, dependencies, known limitations and mitigations.

What it means

Until now agent skills were what container images were before SBOM and Sigstore — bundles with implicit provenance. NVIDIA shifts the trust anchor from publisher to artefact hash: every file in the skill directory is covered by the signature, not just “this skill came from this account”. Methodically the scanner sits on OWASP LLM Top 10, OWASP Agentic AI Risks and MITRE ATLAS. Two things become clear: agent-specific risks need their own scanner classes — prompt injection detection is no longer nice-to-have, it is publication-blocking. And the standard stack (SKILL.md / OMS / Skill Card) is explicitly cross-vendor: the same skill runs in Claude Code, Codex and Cursor.

What it means for the German Mittelstand

For DACH Mittelstand companies the announcement is not a product launch but a procedure — and that is the point. Anyone pulling agent skills from GitHub repos, npm packages or copy-paste into productive workflows is running a shadow supply chain without an inventory. The Skill Card is the SBOM equivalent for AI capabilities. Three mandatory questions per skill admission: Is there a Skill Card? Is the signature verified against a trusted root? Do the declared tool and data accesses match the internal permission model?

The data protection reflex sits directly in the Skill Card. The “Dependencies” and “Data flows” fields disclose which endpoints a skill contacts — third-country transfers become visible before install, not only in the tool-call log. If you process personal data in agent-driven workflows, the Skill Card belongs in the data processing agreement documentation from now on; coordinate with your data protection officer before the first signed skill goes into production.

NIS-2 and the EU AI Act close in from two sides. NIS-2 requires documented ICT supply chain risk management (§ 30 NIS2UmsuCG draft, Art. 21 NIS-2); a workflow with unsigned skills is hard to defend in an audit. The EU AI Act requires risk management, data quality evidence and technical documentation for high-risk systems under Art. 9–15 — the Skill Card addresses exactly these fields at the capability layer. Financial institutions add DORA Art. 28 ff.

What it means for technical development

Architecturally the construction is more interesting than the brand. NVIDIA does not build a proprietary standard but stacks on OpenSSF components: Model Signing as the cryptographic layer, SKILL.md from the agentskills.io spec, MITRE ATLAS and OWASP as the risk taxonomy. Anthropic, OpenAI and Google can adopt the pattern without breaking anything; internal skill registries in Mittelstand houses run on the same path. model_signing verify certificate is immediately deployable as a CI step — a skill without a green verify is a build failure, not an audit note.

For MCP servers the analog holds: anyone writing a server that loads skills pulls the verify obligation into the load path, not into a maintenance job. The SkillSpector classes will migrate into the MCP frameworks themselves over time, in the same way as static analysis moved into modern CI pipelines: verification at the entry, audit log at the exit, Skill Card in the middle.

Concrete recommendation

In this order. First, set up a slim skill inventory — which skills run in Codex, Claude Code or Cursor workflows, with source, hash and ownership. Second, build model_signing verify certificate as a CI step into the path that brings skills into the production repository; only signed skills verified against nv-agent-root-cert.pem or your internal root pass through. Third, adopt the Skill Card template from NVIDIA/Trustworthy-AI for your own internal skills — the Skill Card moves into the DSFA and the processing register. Fourth, coordinate with the data protection officer and the NIS-2 lead on how the Skill Card is taken up into the existing risk management. The interesting question is not whether you deploy agent skills. It is whether tomorrow morning you can say for every productive skill who signed it and what it touches.

This article reflects my technical and strategic assessment. It does not replace legal advice or a data protection impact assessment.

Sources

About the author

[Translate to English:] Foto von Kai Ole Hartwig.

Kai Ole Hartwig

Freelance DevSecOps consultant · OnlyOle Consulting

Programming since 2002 – self-taught, set up my own business with KO-Web in 2012. Over 100 projects, with a focus on security, performance, automation and quality. Today freelance: DevSecOps consulting, training and software development.

Google, Google I/O, Gemini, Gemini Enterprise Agent Platform, Agent Gateway, Agent Identity, Agent Registry, MCP, A2A, Vertex AI, Agentic AI, Mittelstand, GDPR, NIS-2, EU AI Act, governance

Gemini Enterprise Agent Platform (governance trio)

Google introduced the Gemini Enterprise Agent Platform at the I/O keynote on May 19 — the evolution of Vertex AI with Managed Agents API, Agent Studio, ADK 2.0, Antigravity 2.0 and the governance trio Agent Identity, Agent Gateway, Agent Registry. The architecturally interesting story is not the model, but that agentic governance is bundled as runtime primitives in a platform package for the first time. What it means for the German Mittelstand and the MCP toolchain.

EU AI Act, Digital Omnibus, AI Act SMC, small mid-cap, SME relief, Article 50, watermarking, C2PA, AI-Ready CMS, German Mittelstand, AI compliance, Kim Hartwig

EU AI Act Digital Omnibus

The May agreement on the Digital Omnibus to the EU AI Act extends the SME privileges to a new small mid-cap layer of companies up to 750 employees and EUR 150 million in revenue, postpones the high-risk AI deadlines to December 2027 and August 2028 and shifts the Article 50 watermarking obligation to 2 December 2026. The legal classification remains with lawyer and data protection officer — the platform side can be prepared now.