ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nccl Optimizer

v1.1.0

Detect the optimal NCCL configuration for distributed GPU training on this machine. Checks GPU topology (NVLink/PCIe), whether RDMA (InfiniBand / RoCE) is av...

0· 67·0 current·0 all-time
byRui@mitsuha-m
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actual behavior: the skill inspects GPUs, topology, RDMA, network interfaces, and runs nccl-tests (all_reduce_perf, p2p_bw) and optional MPI benchmarks. It does not request unrelated services or credentials.
Instruction Scope
SKILL.md and the Python code restrict actions to local system probes (/proc, /sys, nvidia-smi, ibv_devinfo, ip/ifconfig) and running nccl-tests/mpirun. It may run inter-node benchmarks when the user supplies nodes, which is documented. There are no instructions to read or exfiltrate arbitrary unrelated files or to contact unknown external endpoints.
Install Mechanism
No install spec; the skill is instruction+script only. It suggests building nccl-tests from the official GitHub repo (expected for this purpose). No downloads from arbitrary/personal servers are specified.
Credentials
The skill requires no environment variables or credentials and only probes local system state. It documents external prerequisites (CUDA/NVIDIA driver, ibverbs-utils, openmpi) appropriate for its function.
Persistence & Privilege
always is false and model invocation is allowed (normal). The skill does not request long-term persistence or modify other skills/system-wide agent configuration.
Assessment
This skill appears to do what it says: run local GPU/topology/RDMA checks and nccl-tests benchmarks. Before running: ensure you're on Linux with NVIDIA drivers and that you trust the machine (the skill executes shell commands and may run heavy GPU/network benchmarks). If you provide nodes for inter-node benchmarking, the skill expects passwordless SSH and will run mpirun across those hosts — only supply node addresses you control. Building nccl-tests clones from GitHub (expected). Be aware that the tool runs binaries with shell invocation (subprocess with shell=True) and will execute any binaries it finds (e.g., all_reduce_perf), so avoid running untrusted inputs to the skill and review the commands it will run if you have security concerns.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d893rtavtfc8wah6fwv2ked839abw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments