Vast Ai

ReviewAudited by ClawScan on May 10, 2026.

Overview

This skill appears purpose-aligned for VAST.ai GPU rentals, but it needs a VAST API key and can start paid GPU instances, so users should confirm costs and setup carefully.

Before installing, verify the CLI path points to code you built from the reviewed source, set VAST_API_KEY securely, and do not approve rentals unless you understand the offer price and how you will stop the instance afterward.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

A confirmed rent action can spend VAST.ai account credit and may keep billing while the instance runs.

Why it was flagged

The skill can create paid VAST.ai GPU instances, but the documented flow requires a balance check and user confirmation before the rent action.

Skill content

- **Pre-flight Check**: Before renting, call `balance` ... - **Step 3**: Upon confirmation, call `rent`.

Recommendation

Only approve a specific offer ID, image, and price you understand, and monitor or terminate instances from VAST.ai when finished.

Medium

#ASI03: Identity and Privilege Abuse

What this means

The supplied API key allows the skill to act on the user's VAST.ai account for the supported actions.

Why it was flagged

The CLI forwards the user's VAST API key into the skill for account API calls. This is expected for the service, but the registry metadata lists no primary credential or required environment variable.

Skill content

const apiKey = process.env.VAST_API_KEY; ... await VastSkill.execute(action, params, { API_KEY: apiKey });

Recommendation

Provide the key via a secure environment variable, use the least-privileged or revocable key available, and rotate or remove it after use if needed.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

If that path is wrong or points to different local code, the skill may fail or run code other than the reviewed source.

Why it was flagged

The documented execution command points to a hard-coded local developer path rather than a package-relative installed path, creating ambiguity about what code will actually run.

Skill content

Command: `node /Users/sschepis/Development/vast-ai/dist/cli.js <action> [params]`

Recommendation

Build from the reviewed source and update the command to a package-relative path before providing an API key or renting instances.