NVIDIA Kimi Vision

Analyze images using NVIDIA Kimi K2.5 vision model via NVIDIA NIM API. Perfect for adding vision to non-vision models like MiniMax M2.5, GLM-5, or any model...

This skill appears to do what it says: it base64-encodes an image and sends it to NVIDIA's inference API using a Kimi model. Before installing or running it: 1) Inspect the script (it is included) and confirm the endpoint and model match the NVIDIA service you intend to use. 2) Install the Python requests package (preferably in a virtualenv). 3) Create a dedicated/limited NVIDIA API key (do not reuse sensitive production keys) and consider storing it in a secure secrets manager rather than a plaintext file; if you must use the file, restrict its permissions (chmod 600). 4) Be aware of a minor bug: extension parsing in the script expects bare extensions (e.g., 'jpg') but uses os.path.splitext which returns '.jpg' so the MIME mapping falls back to image/jpeg; this is a correctness issue, not an obvious security issue. 5) Avoid sending images that contain highly sensitive data unless you trust the endpoint and key. If you want stronger assurance, run the script in an isolated environment and/or modify it to read the API key from an OS credential store.

Type: OpenClaw Skill Name: nvidia-kimi-vision Version: 1.0.3 The `scripts/analyze_image.py` file contains an information disclosure vulnerability. The `get_api_key` function, when provided with a third command-line argument, attempts to read that argument as a file path if it exists. This allows an attacker to specify a path to an arbitrary sensitive file (e.g., `~/.ssh/id_rsa`, `/etc/passwd`). The content of this file is then used as the API key and sent in the `Authorization` header to NVIDIA's API endpoint (`https://integrate.api.nvidia.com`). While the data is sent to a legitimate third party (NVIDIA), this constitutes an unauthorized information disclosure risk.