Back to skill
Skillv1.1.0
ClawScan security
Nccl Optimizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 20, 2026, 9:33 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and resource usage align with its stated purpose (detecting/tuning NCCL settings); it performs local system and network interface checks and runs standard benchmarking binaries but does not request unrelated credentials or install arbitrary remote code.
- Guidance
- This skill appears to do what it says: run local GPU/topology/RDMA checks and nccl-tests benchmarks. Before running: ensure you're on Linux with NVIDIA drivers and that you trust the machine (the skill executes shell commands and may run heavy GPU/network benchmarks). If you provide nodes for inter-node benchmarking, the skill expects passwordless SSH and will run mpirun across those hosts — only supply node addresses you control. Building nccl-tests clones from GitHub (expected). Be aware that the tool runs binaries with shell invocation (subprocess with shell=True) and will execute any binaries it finds (e.g., all_reduce_perf), so avoid running untrusted inputs to the skill and review the commands it will run if you have security concerns.
Review Dimensions
- Purpose & Capability
- okName/description match the actual behavior: the skill inspects GPUs, topology, RDMA, network interfaces, and runs nccl-tests (all_reduce_perf, p2p_bw) and optional MPI benchmarks. It does not request unrelated services or credentials.
- Instruction Scope
- okSKILL.md and the Python code restrict actions to local system probes (/proc, /sys, nvidia-smi, ibv_devinfo, ip/ifconfig) and running nccl-tests/mpirun. It may run inter-node benchmarks when the user supplies nodes, which is documented. There are no instructions to read or exfiltrate arbitrary unrelated files or to contact unknown external endpoints.
- Install Mechanism
- okNo install spec; the skill is instruction+script only. It suggests building nccl-tests from the official GitHub repo (expected for this purpose). No downloads from arbitrary/personal servers are specified.
- Credentials
- okThe skill requires no environment variables or credentials and only probes local system state. It documents external prerequisites (CUDA/NVIDIA driver, ibverbs-utils, openmpi) appropriate for its function.
- Persistence & Privilege
- okalways is false and model invocation is allowed (normal). The skill does not request long-term persistence or modify other skills/system-wide agent configuration.