Safety Report

NVIDIA NIM Skill

Name: NVIDIA NIM Skill
Author: d-wwei

Invoke various LLMs (GLM-5, Kimi-k2.5, Llama 3.1, etc.) via NVIDIA NIM API to save main agent tokens and leverage specialized model capabilities.

276Downloads

1Installs

0Stars

1Versions

API Integration4,971 Search & Retrieval2,116 AI & Machine Learning1,383 DevOps & Infrastructure1,045

Security Analysis

medium confidence

Suspicious0.04 risk

The skill mostly does what its name says (calls NVIDIA NIM), but there are inconsistencies (metadata omits the required API key) and an insecure networking choice (TLS verification is disabled) that make it suspicious until reviewed or fixed.

Feb 23, 20263 files3 concerns

Purpose & Capabilitynote

The name/description claim to call NVIDIA NIM models and the included script implements that mapping and HTTP call. That capability aligns with the stated purpose. However the registry metadata reports no required env vars while SKILL.md and scripts clearly require NVIDIA_API_KEY — a mismatch that needs explanation.

Instruction Scopeconcern

SKILL.md instructs only to set NVIDIA_API_KEY and run the script — scope is limited and consistent with purpose. The included script, however, disables TLS verification (ssl.check_hostname = False and ssl.verify_mode = ssl.CERT_NONE), which is an out-of-band insecure behavior not discussed in the documentation and expands the risk surface (makes MITM attacks possible and could enable token interception if the endpoint is spoofed).

Install Mechanismok

No install spec; code is instruction-only with a small Python script using stdlib urllib. No external downloads or package installs are declared — lowest install risk. (That said, the presence of a code file means the script should be audited before running.)

Credentialsconcern

The skill needs a single API key (NVIDIA_API_KEY) which is proportional to the stated purpose, but the registry metadata incorrectly lists required env vars as none. This inconsistency is suspicious because it hides the need for a secret in the metadata. The README and SKILL.md both instruct the user to export NVIDIA_API_KEY.

Persistence & Privilegeok

The skill does not request persistent/autonomous special privileges (always: false, no config path changes). It does not modify other skills or request broad system access.

Guidance

This skill appears to implement exactly what it says (calling NVIDIA NIM models), but you should not install or run it without review and a small set of fixes/confirmations: 1) The registry metadata omits the required NVIDIA_API_KEY — that should be corrected so you know a secret is needed. 2) The Python script disables TLS verification (ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE). That is insecure and should be removed so HTTPS certificate checking is enforced. 3) Confirm the source/author and hosting origin (there's no homepage). Only obtain an API key from the official NVIDIA site and prefer short-lived or least-privilege keys. 4) Run the script in an isolated environment (or container) and review the code before setting any production secrets. 5) If you accept this skill, ask the maintainer to: (a) update registry metadata to declare NVIDIA_API_KEY as required, (b) re-enable TLS verification, and (c) document the exact endpoints and model IDs used. Until these are addressed, treat the skill as suspicious rather than benign.

Latest Release

v1.0.0

Initial release of NVIDIA NIM skill for OpenClaw

Popular Skills

Trakt.tv

@d-meagher · 4 stars

x402 (official examples)

@notorious-d-e-v · 2 stars

dungeons-and-lobsters

@D-L-Leapyear · 0 stars

Folder Inspector

@JayXu-D · 0 stars

My Generate Qr Code

@JayXu-D · 0 stars

self-improving-agent

@pskoett · 1,456 stars

Published by @d-wwei on ClawHub