Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tandemn Tuna Skill
v0.0.1Deploy and serve LLM models on GPU. Compare GPU pricing. Launch vLLM on Modal, RunPod, Cerebrium, Cloud Run, Baseten, or Azure with spot instance fallback. O...
⭐ 0· 464·0 current·0 all-time
byHetarth Chopra@choprahetarth
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (deploy LLMs on serverless + spot GPUs) aligns with the instructions and commands in SKILL.md. Requiring a cloud CLI (aws or az) for spot fallback is plausible. Requiring the 'uv' binary is consistent with the provided 'uv pip install tandemn-tuna' install step, though 'uv' is an uncommon installer and should be verified.
Instruction Scope
The SKILL.md instructs the agent/user to perform provider-specific authentication (RunPod API key, gcloud auth, modal token, Azure subscription/env variables, etc.). However those env vars and credential expectations are not declared in the skill metadata. The instructions also include an option to make endpoints public (--public) which is a meaningful security choice for the operator; the skill does not appear to instruct the agent to read unrelated local files, but it does rely on provider configs and CLIs which will access cloud credentials.
Install Mechanism
Install uses a uv package (tandemn-tuna) that creates a tuna binary. This is an instruction-only skill with an install spec pointing to a package manager rather than a direct download, which is lower risk than arbitrary URL downloads. However, 'uv' is not a mainstream installer in many environments — verify what 'uv' is and that tandemn-tuna's package on the referenced repository/registry is legitimate before installing.
Credentials
Declared required env vars: none. But SKILL.md clearly expects multiple provider credentials and environment variables (RUNPOD_API_KEY, GOOGLE_CLOUD_PROJECT / gcloud auth, Azure subscription/resource group/env, etc.). This mismatch means the skill metadata understates credential needs; users will need to supply sensitive cloud/API credentials for normal operation.
Persistence & Privilege
always:false and no config paths requested. The skill does not demand permanent presence or cross-skill configuration. It will rely on external provider configs (e.g., Modal, gcloud), which is expected for a deployment tool.
What to consider before installing
This skill appears to do what it says (hybrid serverless + spot GPU deployments) but there are important mismatches you should resolve before installing: 1) The skill metadata declares no required environment variables while the instructions require many provider credentials (RunPod API key, gcloud/auth, Azure subscription info, etc.). Assume you will need to provide cloud/API keys. 2) The installer uses a 'uv' tool and an upstream package named tandemn-tuna — verify the 'uv' binary's provenance and inspect the tandemn-tuna package source (the SKILL.md includes a GitHub URL) before running it. 3) Be cautious with the --public option (creates unauthenticated endpoints) and with giving the tool high-privilege cloud credentials — consider using a dedicated, limited-permission cloud account or billing project for testing. If you want this assessed as 'benign' rather than 'suspicious', provide the package repository or package contents (so we can confirm there's no hidden network callbacks or unexpected credential exfiltration) and update the skill metadata to list the exact env vars it needs.Like a lobster shell, security has layers — review code before you run it.
latestvk97dbfjpxsn96ac4pr0r843ann81pdje
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🐟 Clawdis
Binsuv
Any binaws, az
Install
uv
Bins: tuna
uv tool install tandemn-tuna