NVIDIA NIM Skill
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly does what it advertises, but its API call disables HTTPS certificate verification, which could expose your NVIDIA API key and prompts to interception.
Review or patch scripts/nim_call.py before installing: certificate verification should remain enabled for NVIDIA API calls. Only send prompts or file contents you are comfortable sharing with NVIDIA, and use a dedicated API key rather than a broadly reused credential.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone able to intercept or redirect the network connection could impersonate the API endpoint and capture your NVIDIA API key and prompt contents.
The script sends the NVIDIA bearer API key and user prompt to an external provider while explicitly disabling server certificate and hostname verification, weakening assurance that the connection is really to NVIDIA.
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
...
"Authorization": f"Bearer {api_key}"
...
urllib.request.urlopen(req, context=ctx)Remove the custom SSL context or keep default certificate verification enabled. Do not use this skill with sensitive prompts until that is fixed, and rotate the NVIDIA API key if it may have been exposed.
The skill can use your NVIDIA API key to submit prompts to NVIDIA NIM and may affect your account usage, quota, or billing depending on your NVIDIA account terms.
The skill requires a provider API credential to invoke NVIDIA NIM. This is expected for the integration, but the registry metadata lists no required env vars or primary credential.
Get API Key... get your `nvapi-...` key. ... export NVIDIA_API_KEY="your_api_key_here"
Use a dedicated, least-privilege API key if available, avoid sharing sensitive prompts unnecessarily, and update the skill metadata to declare NVIDIA_API_KEY as a required credential.