ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

nexus-edge-deployer

v2.1.0

Deploy 1-bit quantized AI models on VPS for Agent-as-a-Service with 98% margins.

0· 59·0 current·0 all-time
by@shuwanito
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md explicitly requires provisioning Hetzner VPSes via the cloud API, pre-loading models, and configuring Ollama/llama.cpp; yet the registry metadata lists no required environment variables, no required binaries, and no config paths. A legitimate deployer would normally require at minimum a Hetzner API token (or SSH keys), model artifacts or download endpoints, and the inference binaries (Ollama/llama.cpp) or install instructions.
!
Instruction Scope
Instructions direct the agent to provision servers, deploy personas, benchmark, and configure monitoring/auto-scaling. They are high-level and grant broad discretion (e.g., 'Provision VPS via Hetzner API with cloud-init') but provide no concrete safe defaults, no explicit credential handling, and no locations for cloud-init/model artifacts. That vagueness can lead an agent to seek credentials or run network actions not scoped in the metadata.
Install Mechanism
This is an instruction-only skill (no install spec), which is lower-risk in that it doesn't ship or execute code on install. However, the instructions implicitly require installing/using external tools (Ollama, llama.cpp, cloud-init, monitoring agents) but provide no guidance. The absence of an install spec is inconsistent with the operational requirements described.
!
Credentials
The skill declares no required environment variables or primary credential, but its workflow explicitly calls for Hetzner API provisioning and likely needs SSH keys, API tokens, or cloud credentials and access to model files. This mismatch is disproportionate and should be resolved before trusting the skill to act.
Persistence & Privilege
Flags show always:false and normal autonomous invocation settings. The skill does not request persistent presence or manipulate other skills' configs. No elevated platform privileges are declared.
What to consider before installing
Do not install or run this skill without clarification. Ask the author for an explicit list of required credentials (Hetzner API token, SSH key locations, model download endpoints), the exact binaries/tools it will call (Ollama, llama.cpp, monitoring agents), and any cloud-init scripts or templates to be used. If you must test it: use a throwaway/test Hetzner project with minimal-permission API tokens, review any cloud-init/user-data and automation scripts before execution, run in an isolated account or sandbox, and ensure model files come from trusted sources. The current metadata is inconsistent with the runtime actions described — that gap should be resolved before granting the skill access to credentials or letting it run autonomously.

Like a lobster shell, security has layers — review code before you run it.

latestvk976asp37mf07ra7j4vye2695s842erb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖥️ Clawdis
OSmacOS · Linux · Windows

Comments