autodl-train
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is coherent with its stated purpose, but it should only be used if you are comfortable giving it SSH access to start and monitor long-running training jobs on your server.
Install only if you trust this skill with SSH access to the target AutoDL server. Review config.json, especially host, username, project_path, ssh_key_path, train_command, log paths, and any .env password file. Prefer SSH keys and a least-privileged account, keep private config out of the published skill directory, and monitor launched jobs because they can keep running and consuming resources after the command returns.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad training command could change files, consume resources, or run unintended commands on the remote server.
The skill intentionally converts the configured training command into a remote launcher script and executes it over SSH. This is core to the skill, but it means the configured command has remote shell-level impact.
TRAIN_COMMAND={shell_quote(train_command)} ... exec {train_command}Only use trusted config files and review train_command, project_path, and resume arguments before launching. Prefer a least-privileged remote account when possible.
Anyone who can access the configured SSH key, password, or .env file may be able to access the remote server.
The skill can use SSH credentials, including an SSH password supplied through an environment variable or local .env file. This is expected for SSH-based training operations, but it is sensitive access.
Optional password mode: provide `AUTOCLAW_TRAIN_SSH_PASSWORD` as an environment variable or local `.env` file when SSH key login is not available.
Prefer SSH keys over passwords, keep .env files out of the skill package and source control, restrict file permissions, and avoid using root unless AutoDL requires it.
A launched training job may continue consuming GPU, CPU, memory, disk, and cloud credits until it finishes or is manually stopped.
The script deliberately starts the remote training launcher in the background so the job can keep running after the SSH command returns. This is normal for training workflows, but it is persistent remote activity.
nohup "$LAUNCHER_PATH" >> "$TRAIN_LOG" 2>&1 < /dev/null &
After launching, use the status and resource-monitor scripts, and stop jobs manually if they are no longer wanted.
Users may not realize from registry metadata alone that the skill needs SSH tooling and server credentials.
The registry metadata under-declares operational requirements compared with the documented SSH scripts and optional AUTOCLAW_TRAIN_SSH_PASSWORD credential. The behavior is disclosed in SKILL.md and references, so this is a metadata completeness issue rather than hidden capability.
Required binaries (all must exist): none ... Env var declarations: none ... Primary credential: none
Before installing, read SKILL.md and references/usage.md, ensure local SSH/Python prerequisites are available, and treat the skill as one that has remote server access.
Sensitive information present in training logs could appear in the assistant conversation or structured output.
The log summarizer returns recent remote log excerpts to the agent/user. This is expected for diagnosing training runs, but logs can contain sensitive paths, dataset names, errors, or accidental secrets.
"excerpt": latest_run_text.splitlines()[-tail_lines:]
Avoid logging secrets in training jobs, keep tail limits reasonable, and review excerpts before sharing them outside your environment.