← Back to Skills Marketplace
458
Downloads
2
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install rocm-vllm-deployment
Description
Production-ready vLLM deployment on AMD ROCm GPUs. Combines environment auto-check, model parameter detection, Docker Compose deployment, health verification...
Usage Guidance
This skill appears to be a deployment helper and is not obviously malicious, but exercise caution before running it on a sensitive system. Specific actions to consider: 1) Inspect scripts locally (you already have them) before executing. 2) Avoid putting long-lived HF tokens in shell rc files; prefer ephemeral environment variables or a protected .env file with strict permissions. 3) Be aware check-env.sh will source ~/.bashrc (it will execute code from your rc file) and may create an empty ~/.bashrc if missing — run it in a controlled shell first or review/sanitize your rc file. 4) The scripts log the HF_TOKEN prefix and include status in reports stored under $HOME/vllm-compose — treat those files as sensitive. 5) If you want stronger assurance, ask the publisher for a full deployment workflow (the skill includes env-check and report generation but no deployment steps in these scripts) and confirm there are no external network endpoints or installers. If you plan to use this in production, prefer running on an isolated machine or container and store tokens in a secrets manager rather than in shell rc files.
Capability Analysis
Type: OpenClaw Skill
Name: rocm-vllm-deployment
Version: 1.0.0
The skill is classified as suspicious due to two main vulnerabilities. First, `scripts/check-env.sh` sources `~/.bashrc`, which could lead to arbitrary code execution if the user's `.bashrc` file is already compromised. Second, `scripts/generate-report.sh` embeds user-controlled parameters (e.g., `model-id`, `port`) directly into shell commands within the generated `DEPLOYMENT_REPORT.md`. If an AI agent or user were to blindly execute these commands from the report with specially crafted input, it could lead to command injection. While the skill itself does not exhibit clear malicious intent like data exfiltration or unauthorized persistence, these risky capabilities warrant a 'suspicious' classification.
Capability Assessment
Purpose & Capability
The skill claims to prepare and report on vLLM deployments and includes two helper scripts that match that scope (environment check and report generation). However the registry metadata declares no required env vars while the SKILL.md and scripts clearly expect HF_TOKEN and HF_HOME (optional). There is also a small inconsistency: SKILL.md advises sourcing ~/.bash_profile but check-env.sh actually sources ~/.bashrc.
Instruction Scope
check-env.sh sources the user's ~/.bashrc (executing arbitrary shell code from the user's rc file) and will create ~/.bashrc if missing. Both check-env.sh and generate-report.sh echo a truncated HF_TOKEN (first 10 characters) into stdout/logs and the generated report, which means sensitive token material can be written into deployment logs and DEPLOYMENT_REPORT.md under $HOME/vllm-compose/<model-id> — a potential secret-leakage risk. Aside from that, the scripts do not perform network calls or write to unexpected remote endpoints.
Install Mechanism
Instruction-only skill with no install spec and no external downloads. The scripts live in the skill directory and nothing in the manifest creates or executes external installers — low install risk.
Credentials
Requesting HF_TOKEN and HF_HOME is appropriate for interacting with HuggingFace models, but the skill/README/manifest mismatch (registry says no required env vars) is confusing. More importantly, the scripts log the token prefix and include token status in generated reports, which is disproportionate handling of a secret. The skill does not ask for unrelated credentials.
Persistence & Privilege
The skill does not request elevated platform privileges or set always:true. It does write under $HOME/vllm-compose/<model-id>/ and will touch/create ~/.bashrc if absent — this is modest persistence in the user's home directory and should be expected for a deployment helper but is worth noting.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install rocm-vllm-deployment - After installation, invoke the skill by name or use
/rocm-vllm-deployment - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release - Deploy vLLM on AMD ROCm GPUs
Metadata
Frequently Asked Questions
What is ROCm vLLM Deployment?
Production-ready vLLM deployment on AMD ROCm GPUs. Combines environment auto-check, model parameter detection, Docker Compose deployment, health verification... It is an AI Agent Skill for Claude Code / OpenClaw, with 458 downloads so far.
How do I install ROCm vLLM Deployment?
Run "/install rocm-vllm-deployment" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is ROCm vLLM Deployment free?
Yes, ROCm vLLM Deployment is completely free (open-source). You can download, install and use it at no cost.
Which platforms does ROCm vLLM Deployment support?
ROCm vLLM Deployment is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created ROCm vLLM Deployment?
It is built and maintained by alexhegit (@alexhegit); the current version is v1.0.0.
More Skills