Nvidia Agent Fleet
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a disclosed NVIDIA model dispatcher, but it automatically searches local credential/config files and sources your shell startup file to find an NVIDIA API key.
Review this skill carefully before installing. It is not clearly malicious, but its credential discovery is more invasive than necessary because it probes local config files and sources ~/.zshrc. Use an explicit NVIDIA_API_KEY if you proceed, avoid sending sensitive prompts, and be cautious with the under-disclosed stock-analysis behavior.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the dispatcher could unexpectedly run commands from your shell startup file while trying to find an NVIDIA API key.
The dispatcher sources ~/.zshrc through a shell command during API-key discovery. Sourcing a shell startup file can execute arbitrary commands in that file, which is broader than simply reading a key.
subprocess.run(["bash", "-c", f"source {zshrc} && echo $NVIDIA_API_KEY"], capture_output=True, text=True, timeout=5)Prefer explicitly setting NVIDIA_API_KEY or parsing config files safely without sourcing shell scripts. The skill should ask before probing local config and should not execute shell startup files.
The skill may use an existing NVIDIA account credential and incur account/API usage without the permission boundary being clearly declared in metadata.
The skill intentionally auto-discovers a sensitive NVIDIA API key from environment and local config files, even though the registry metadata declares no primary credential, required env vars, or required config paths.
API Key 自动发现 ... 1. $NVIDIA_API_KEY ... 2. ~/.zshrc ... 3. openclaw.json
Install only if you expect this skill to use your NVIDIA API key. The publisher should declare the credential and config paths explicitly and provide an opt-in setup flow.
Anything you ask the fleet, including sensitive text, may be sent to NVIDIA's API and potentially to multiple selected models in multi/parallel mode.
User prompts are sent to the NVIDIA Integrate API as part of the expected model-dispatch workflow.
"messages": [{"role": "system", "content": system_prompt}, {"role": "user", "content": user_message}] ... f"{BASE_URL}/chat/completions"Do not send secrets or private data unless you are comfortable with NVIDIA API processing and your account's data-handling terms.
Stock-related questions may be routed to an under-disclosed financial-advice persona, which could make outputs feel more authoritative than warranted.
The runtime registry contains a stock-analysis agent that asks the model to give specific trading/operation suggestions, but this agent is not included in the SKILL.md table of 19 agents.
"stock-analyst": { ... "specialty": "A股分析、六维框架、股票诊断", ... "给出具体的指标数据和操作建议"Treat any investment-related output as informational only and verify it independently. The publisher should list this agent clearly and add financial-risk disclaimers.