NVIDIA NIM Skill
Invoke various LLMs (GLM-5, Kimi-k2.5, Llama 3.1, etc.) via NVIDIA NIM API to save main agent tokens and leverage specialized model capabilities.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 457 · 2 current installs · 2 all-time installs
by@d-wwei
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description claim to call NVIDIA NIM models and the included script implements that mapping and HTTP call. That capability aligns with the stated purpose. However the registry metadata reports no required env vars while SKILL.md and scripts clearly require NVIDIA_API_KEY — a mismatch that needs explanation.
Instruction Scope
SKILL.md instructs only to set NVIDIA_API_KEY and run the script — scope is limited and consistent with purpose. The included script, however, disables TLS verification (ssl.check_hostname = False and ssl.verify_mode = ssl.CERT_NONE), which is an out-of-band insecure behavior not discussed in the documentation and expands the risk surface (makes MITM attacks possible and could enable token interception if the endpoint is spoofed).
Install Mechanism
No install spec; code is instruction-only with a small Python script using stdlib urllib. No external downloads or package installs are declared — lowest install risk. (That said, the presence of a code file means the script should be audited before running.)
Credentials
The skill needs a single API key (NVIDIA_API_KEY) which is proportional to the stated purpose, but the registry metadata incorrectly lists required env vars as none. This inconsistency is suspicious because it hides the need for a secret in the metadata. The README and SKILL.md both instruct the user to export NVIDIA_API_KEY.
Persistence & Privilege
The skill does not request persistent/autonomous special privileges (always: false, no config path changes). It does not modify other skills or request broad system access.
What to consider before installing
This skill appears to implement exactly what it says (calling NVIDIA NIM models), but you should not install or run it without review and a small set of fixes/confirmations: 1) The registry metadata omits the required NVIDIA_API_KEY — that should be corrected so you know a secret is needed. 2) The Python script disables TLS verification (ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE). That is insecure and should be removed so HTTPS certificate checking is enforced. 3) Confirm the source/author and hosting origin (there's no homepage). Only obtain an API key from the official NVIDIA site and prefer short-lived or least-privilege keys. 4) Run the script in an isolated environment (or container) and review the code before setting any production secrets. 5) If you accept this skill, ask the maintainer to: (a) update registry metadata to declare NVIDIA_API_KEY as required, (b) re-enable TLS verification, and (c) document the exact endpoints and model IDs used. Until these are addressed, treat the skill as suspicious rather than benign.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
NVIDIA NIM Skill for OpenClaw
This skill allows OpenClaw to delegate tasks to external models hosted on the NVIDIA NIM platform.
Setup
- Get API Key: Register at build.nvidia.com and get your
nvapi-...key. - Set Environment Variable:
export NVIDIA_API_KEY="your_api_key_here"
Usage
Direct Command
python3 scripts/nim_call.py <model_alias> "<prompt>"
Supported Aliases
glm5: Zhipu AI GLM-5kimi: Moonshot Kimi-k2.5r1: DeepSeek R1 (Llama-8B Distill)llama: Llama 3.1 405Bphi: Microsoft Phi-4
Integration with CLAUDE.md
Add this to your project's CLAUDE.md:
- /nim <model> <prompt>: Call NVIDIA NIM models.
Files
3 totalSelect a file
Select a file to preview.
Comments
Loading comments…