OpenClaw and NVIDIA Partner on Verified Agent Skills Initiative

OpenClaw has partnered with NVIDIA on a shared initiative to bring verified, trustworthy skill artifacts to the entire agent ecosystem. The collaboration was announced on the OpenClaw blog and centers on two new components: NVIDIA Skill Cards and NVIDIA SkillSpector.

NVIDIA Skill Cards

Every skill published to ClawHub now ships with an open NVIDIA Skill Card — a trust artifact that documents who published it, what the skill claims to do, what the verification pipeline found, and exactly where the code came from. The card is generated by ClawHub’s verification pipeline, not self-described by the publisher, and is readable both on the skill detail page and from the terminal via openclaw skills verify <slug> --card.

NVIDIA SkillSpector

SkillSpector is NVIDIA’s new agent-skill scanner, combining static analysis with AI-assisted semantic checks. Where traditional malware scanners flag known bad files, SkillSpector is designed to catch agentic risks — hidden instructions, overbroad capabilities, risky code paths, and mismatches between a skill’s declared purpose and its actual behavior. It runs alongside OpenClaw’s existing static analysis and VirusTotal checks as part of the pre-publication gate.

The ClawScan Pipeline

When a new skill version is published, an OpenAI Codex agent evaluates the output of three independent scanners — OpenClaw’s static analysis, VirusTotal, and NVIDIA SkillSpector — alongside provenance, metadata, and moderation history. The result is a Skill Card with a final verdict: Clean, Suspicious, or Malicious.

Why It Matters

Agent skills are a known attack vector. A seemingly helpful skill can quietly ship logs, escalate privileges, or manipulate an agent into destructive actions — none of which a virus scanner would catch. This partnership aims to make ClawHub the first agent skill registry where users can independently verify what they’re installing, not just trust the publisher’s word for it.

An open dataset is also being released so the broader community can build on the verification work.

← Back to News