JarvisLabs GPU
AdvisoryAudited by Static analysis on May 7, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-eager agent could incur cloud GPU charges, delete instance data, or run broad commands on a JarvisLabs instance.
The guide presents confirmation-suppressing commands for billable creation and permanent destruction, and also exposes raw remote shell execution, without an explicit instruction to obtain separate user approval first.
`jl create --gpu L4 --storage 40 --yes --json` ... `jl destroy <id> --yes --json # permanently delete` ... `jl exec` = run any command on an instance ... `escape hatch`
Require explicit user approval, target instance IDs, cost/storage expectations, and a rollback or shutdown plan before using `create`, `resume`, `destroy`, `exec`, upload, or download commands; avoid `--yes` unless the user has already confirmed the exact action.
Anyone or anything using this credential through the agent may be able to manage JarvisLabs resources and affect billing or stored instance data.
The skill clearly discloses JarvisLabs authentication, which is expected for managing GPU resources, but the credential enables actions against the user's cloud account.
`primaryEnv: JL_API_KEY` ... `If not logged in, use jl setup --token <token> --yes`. You can also authenticate via `export JL_API_KEY="..."`.
Use a revocable, least-privilege API key if available, avoid sharing tokens in chat logs, and revoke or rotate the credential after use if there is any concern.
The installed package will run locally as the JarvisLabs CLI, so package provenance and version trust matter.
The skill relies on installing an external CLI package. This is normal for the stated purpose, but the executable code is not part of the provided scanned artifact.
`uv tool install jarvislabs` ... Alternative Python install: `pip install jarvislabs`
Install from the official package source, consider pinning a known-good version, and verify the CLI documentation or package owner before authenticating.
A job or instance may continue running and billing after the user stops interacting with the agent, or paused storage may continue to incur storage costs.
The guide documents background jobs and persistent cloud resources. This is expected for GPU experiments, but resources can outlive the immediate agent interaction.
`jl run` ... runs your script in the background ... Instances have three states: `Running (billing active)`, `Paused ... data persists`, `Destroyed (everything deleted)`.
Track run IDs and machine IDs, review `jl run status` and `jl status`, and pause or destroy resources deliberately when finished.