← Back to Skills Marketplace
731
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install openclaw-nim-skill
Description
Invoke various LLMs (GLM-5, Kimi-k2.5, Llama 3.1, etc.) via NVIDIA NIM API to save main agent tokens and leverage specialized model capabilities.
Usage Guidance
This skill appears to implement exactly what it says (calling NVIDIA NIM models), but you should not install or run it without review and a small set of fixes/confirmations: 1) The registry metadata omits the required NVIDIA_API_KEY — that should be corrected so you know a secret is needed. 2) The Python script disables TLS verification (ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE). That is insecure and should be removed so HTTPS certificate checking is enforced. 3) Confirm the source/author and hosting origin (there's no homepage). Only obtain an API key from the official NVIDIA site and prefer short-lived or least-privilege keys. 4) Run the script in an isolated environment (or container) and review the code before setting any production secrets. 5) If you accept this skill, ask the maintainer to: (a) update registry metadata to declare NVIDIA_API_KEY as required, (b) re-enable TLS verification, and (c) document the exact endpoints and model IDs used. Until these are addressed, treat the skill as suspicious rather than benign.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-nim-skill
Version: 1.0.0
The skill is classified as suspicious due to a critical SSL/TLS vulnerability in `scripts/nim_call.py`. The script explicitly disables SSL certificate verification (`ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE`) when making API calls to `https://integrate.api.nvidia.com`. This flaw makes the skill vulnerable to Man-in-the-Middle (MITM) attacks, potentially allowing an attacker to intercept communications, steal the `NVIDIA_API_KEY`, or inject malicious responses. While the overall intent of the skill appears benign and aligned with its stated purpose, this severe security vulnerability warrants a 'suspicious' classification.
Capability Assessment
Purpose & Capability
The name/description claim to call NVIDIA NIM models and the included script implements that mapping and HTTP call. That capability aligns with the stated purpose. However the registry metadata reports no required env vars while SKILL.md and scripts clearly require NVIDIA_API_KEY — a mismatch that needs explanation.
Instruction Scope
SKILL.md instructs only to set NVIDIA_API_KEY and run the script — scope is limited and consistent with purpose. The included script, however, disables TLS verification (ssl.check_hostname = False and ssl.verify_mode = ssl.CERT_NONE), which is an out-of-band insecure behavior not discussed in the documentation and expands the risk surface (makes MITM attacks possible and could enable token interception if the endpoint is spoofed).
Install Mechanism
No install spec; code is instruction-only with a small Python script using stdlib urllib. No external downloads or package installs are declared — lowest install risk. (That said, the presence of a code file means the script should be audited before running.)
Credentials
The skill needs a single API key (NVIDIA_API_KEY) which is proportional to the stated purpose, but the registry metadata incorrectly lists required env vars as none. This inconsistency is suspicious because it hides the need for a secret in the metadata. The README and SKILL.md both instruct the user to export NVIDIA_API_KEY.
Persistence & Privilege
The skill does not request persistent/autonomous special privileges (always: false, no config path changes). It does not modify other skills or request broad system access.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-nim-skill - After installation, invoke the skill by name or use
/openclaw-nim-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of NVIDIA NIM skill for OpenClaw
Metadata
Frequently Asked Questions
What is NVIDIA NIM Skill?
Invoke various LLMs (GLM-5, Kimi-k2.5, Llama 3.1, etc.) via NVIDIA NIM API to save main agent tokens and leverage specialized model capabilities. It is an AI Agent Skill for Claude Code / OpenClaw, with 731 downloads so far.
How do I install NVIDIA NIM Skill?
Run "/install openclaw-nim-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is NVIDIA NIM Skill free?
Yes, NVIDIA NIM Skill is completely free (open-source). You can download, install and use it at no cost.
Which platforms does NVIDIA NIM Skill support?
NVIDIA NIM Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created NVIDIA NIM Skill?
It is built and maintained by d-wwei (@d-wwei); the current version is v1.0.0.
More Skills