ClawHub

GPU CLI: Remote GPU Compute for ML Training and Inference

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate GPU CLI wrapper, but it grants broad command authority that can affect accounts, paid compute, and existing GPU jobs in ways that are not tightly scoped.

Review before installing. Use this only if you are comfortable giving the agent authority to run the local gpu CLI, including account-related commands and state-changing GPU resource management. Avoid ambiguous requests, watch for paid compute use, and be aware that interrupted runs may issue a broad stop command that could affect other GPU jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill exposes shell execution capability via `Bash(runner.sh*)` but does not declare explicit permissions beyond frontmatter metadata, creating a mismatch between apparent trust boundaries and actual execution power. Even though the description claims guarding, allowlisting, and sanitization, the skill still authorizes local command execution that may trigger paid GPU jobs or interact with external services through the `gpu` binary, so under-declared capabilities can mislead reviewers and downstream policy enforcement.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The wrapper is described as a guarded way to run local GPU commands, but the allowlist includes `auth`, which can alter account/session state outside the local host. In an agent setting, this expands the skill from inspection/execution into identity and account management, increasing the chance of unintended external side effects under the guise of a 'safe' wrapper.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The allowlist includes broad management actions like `daemon`, `volume`, `notebook`, `llm`, and `comfyui`, which exceed the stated role of a safe local GPU command wrapper. This capability creep undermines the safety boundary by permitting service control, workload creation, and state-changing operations that may consume resources or modify environment state unexpectedly.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
On timeout or interrupt, the script runs `gpu stop -y` without tracking which resource was started by this invocation. That can terminate unrelated running jobs or shared resources, making the cleanup behavior broader and riskier than the 'safe' wrapper description suggests.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README advertises activation on broad natural-language phrases like "Use GPU CLI to ...", which can cause the skill to trigger unexpectedly from ordinary conversation rather than explicit invocation. In an agent environment that can execute local commands, accidental or prompt-injected activation increases the chance of unintended command execution, even if wrapper guardrails reduce the blast radius.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase "Run on a GPU" is broad enough to match ordinary user requests that are not necessarily intended to invoke this specific skill. In an agent context, ambiguous activation can cause the wrapper to be invoked unexpectedly, increasing the chance of unintended command execution paths, user confusion, or accidental use of paid compute resources despite the skill's safety-oriented settings.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal