ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

NVIDIA Kimi Vision

v1.0.3

Analyze images using NVIDIA Kimi K2.5 vision model via NVIDIA NIM API. Perfect for adding vision to non-vision models like MiniMax M2.5, GLM-5, or any model...

0· 791·2 current·2 all-time
byQuiz Due@miladnoo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actual behavior: the script encodes an image and POSTs it to an NVIDIA inference endpoint (integrate.api.nvidia.com) using a Kimi model. Required runtime (python3 and the requests library) is consistent with the code.
!
Instruction Scope
The SKILL.md and script instruct reading a user API key from ~/.config/nvidia-kimi-api-key (or accepting it inline). The skill does not read any other system files, but it references a config file path that is not declared in the registry metadata (requires.config). That mismatch should be declared so users know the skill will read a file from their home directory.
Install Mechanism
This is an instruction-only skill with no install spec (lowest risk). The SKILL.md metadata contains an 'install' entry labeled 'Install Python dependencies (requests)' but provides no command; the included script requires the requests package, so users must install it manually or the skill will fail.
Credentials
No environment variables or cloud credentials are required by the registry metadata; the script instead expects an NVIDIA API key stored in a user config file or passed inline. Storing the key as plaintext in ~/.config/nvidia-kimi-api-key is functional but not ideal—this is proportional to the skill's purpose but should be noted as a security consideration.
Persistence & Privilege
The skill does not request permanent/always-on presence, does not modify other skills or system-wide settings, and only reads/writes the user-provided config path. Autonomous invocation is enabled by default but is not combined with broad or unexplained privileges.
Assessment
This skill appears to do what it says: it base64-encodes an image and sends it to NVIDIA's inference API using a Kimi model. Before installing or running it: 1) Inspect the script (it is included) and confirm the endpoint and model match the NVIDIA service you intend to use. 2) Install the Python requests package (preferably in a virtualenv). 3) Create a dedicated/limited NVIDIA API key (do not reuse sensitive production keys) and consider storing it in a secure secrets manager rather than a plaintext file; if you must use the file, restrict its permissions (chmod 600). 4) Be aware of a minor bug: extension parsing in the script expects bare extensions (e.g., 'jpg') but uses os.path.splitext which returns '.jpg' so the MIME mapping falls back to image/jpeg; this is a correctness issue, not an obvious security issue. 5) Avoid sending images that contain highly sensitive data unless you trust the endpoint and key. If you want stronger assurance, run the script in an isolated environment and/or modify it to read the API key from an OS credential store.

Like a lobster shell, security has layers — review code before you run it.

latestvk973ykkf4a96zkgcdjzbsbj3sn81dtze

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3

Comments