Back to skill
Skillv1.1.0
VirusTotal security
Nccl Optimizer · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 28, 2026, 7:22 AM
- Hash
- b48ab636f85e4a624d6240c138a54f75f5d1893e45899f7eb8aff543674e4da4
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: nccl-optimizer Version: 1.1.0 The skill is designed for NCCL performance tuning but contains a critical command injection vulnerability. In `__init__.py`, the `_parse_nodes` function extracts hostnames/IPs from user-provided input, which are then concatenated into a command string and executed via `subprocess.check_output(shell=True)` in `_run_internode_allreduce`. While the behavior aligns with the stated purpose of benchmarking distributed GPU clusters, the lack of input sanitization allows an attacker to execute arbitrary shell commands by providing a malicious 'nodes' parameter.
- External report
- View on VirusTotal