Tandemn Tuna Skill
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: tandemn-tuna Version: 0.0.1 The skill is classified as suspicious due to its broad capabilities involving extensive cloud resource management and credential handling across multiple providers (AWS, Azure, GCP, Modal, RunPod, Baseten, Cerebrium). The `SKILL.md` instructs the agent to execute various external binaries (`uv`, `aws`, `az`, `gcloud`, `modal`, `truss`, `cerebrium`, and the custom `tuna` CLI) and manage sensitive API keys/credentials. While these actions are necessary for the skill's stated purpose of deploying LLMs, they present a significant attack surface for prompt injection against the agent or potential misuse, leading to unauthorized cloud resource consumption or data exposure if not handled with extreme care by the agent and underlying tools.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed or invoked with broad cloud credentials, the tool could create billable infrastructure or modify cloud resources in the connected accounts.
This shows the skill expects provider tokens and local cloud authentication. Those credentials can authorize cloud resource creation and deletion, but the supplied metadata declares no primary credential or env vars and the artifacts do not specify narrow permission scopes.
Each serverless provider needs its own credentials. Run `tuna check --provider <name>` to verify setup. ... `modal token new` ... `export RUNPOD_API_KEY="your-api-key"` ... `gcloud auth login`
Use a dedicated low-privilege cloud project/account, scoped API keys, budgets/quotas, and explicit provider/project/region settings before allowing deployment commands.
A mistaken invocation could incur charges, expose an inference endpoint publicly, or delete deployments.
The documented CLI includes high-impact cloud operations: launching deployments, exposing an unauthenticated public endpoint, and bulk teardown. These are purpose-aligned but should not be run automatically or casually.
`tuna deploy --model <HuggingFace-model-ID> --gpu <GPU> [options]` ... `--public` — Make endpoint publicly accessible (no auth) ... `tuna destroy --all`
Require explicit user confirmation for deploy, destroy, `--all`, and `--public`; prefer authenticated/private endpoints and verify service names before teardown.
The clean static scan only covers the skill wrapper, not the installed `tuna` package code that will perform cloud operations.
The runtime behavior is provided by an external package-installed binary. This is expected for a CLI skill, but no package source code is included in the supplied artifacts for review.
uv | package: tandemn-tuna | creates binaries: tuna
Review the package source and publisher, pin a trusted version, and install in an isolated environment before granting cloud credentials.
Misconfigured deployments may keep running, continue billing, or route traffic across providers after the initial command completes.
The skill intentionally automates traffic shifting and persistent cloud capacity. This is disclosed, but a bad configuration can continue consuming resources or route traffic unexpectedly.
Once spot is ready, traffic shifts there. If spot gets preempted, traffic falls back to serverless automatically. ... `--no-scale-to-zero` — Keep at least 1 spot replica running
Set budgets and alerts, keep scale-to-zero enabled unless needed, monitor deployment status and cost, and destroy unused services promptly.