Vast Ai
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: vast-ai Version: 1.0.0 The skill bundle is benign. The `SKILL.md` instructions are clear, task-oriented, and fully aligned with the stated purpose of managing VAST.ai GPU rentals, showing no signs of prompt injection. The TypeScript code (`src/*.ts`) implements a client for the legitimate VAST.ai API (`https://console.vast.ai/api/v0`), using standard libraries (`axios`, `limiter`, `minimist`) and handling API keys securely via environment variables. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or obfuscation. The absolute path in `SKILL.md` for execution is likely a developer's local path and not indicative of malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A confirmed rent action can spend VAST.ai account credit and may keep billing while the instance runs.
The skill can create paid VAST.ai GPU instances, but the documented flow requires a balance check and user confirmation before the rent action.
- **Pre-flight Check**: Before renting, call `balance` ... - **Step 3**: Upon confirmation, call `rent`.
Only approve a specific offer ID, image, and price you understand, and monitor or terminate instances from VAST.ai when finished.
The supplied API key allows the skill to act on the user's VAST.ai account for the supported actions.
The CLI forwards the user's VAST API key into the skill for account API calls. This is expected for the service, but the registry metadata lists no primary credential or required environment variable.
const apiKey = process.env.VAST_API_KEY; ... await VastSkill.execute(action, params, { API_KEY: apiKey });Provide the key via a secure environment variable, use the least-privileged or revocable key available, and rotate or remove it after use if needed.
If that path is wrong or points to different local code, the skill may fail or run code other than the reviewed source.
The documented execution command points to a hard-coded local developer path rather than a package-relative installed path, creating ambiguity about what code will actually run.
Command: `node /Users/sschepis/Development/vast-ai/dist/cli.js <action> [params]`
Build from the reviewed source and update the command to a package-relative path before providing an API key or renting instances.