NVIDIA NIM Skill

Invoke various LLMs (GLM-5, Kimi-k2.5, Llama 3.1, etc.) via NVIDIA NIM API to save main agent tokens and leverage specialized model capabilities.

This skill appears to implement exactly what it says (calling NVIDIA NIM models), but you should not install or run it without review and a small set of fixes/confirmations: 1) The registry metadata omits the required NVIDIA_API_KEY — that should be corrected so you know a secret is needed. 2) The Python script disables TLS verification (ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE). That is insecure and should be removed so HTTPS certificate checking is enforced. 3) Confirm the source/author and hosting origin (there's no homepage). Only obtain an API key from the official NVIDIA site and prefer short-lived or least-privilege keys. 4) Run the script in an isolated environment (or container) and review the code before setting any production secrets. 5) If you accept this skill, ask the maintainer to: (a) update registry metadata to declare NVIDIA_API_KEY as required, (b) re-enable TLS verification, and (c) document the exact endpoints and model IDs used. Until these are addressed, treat the skill as suspicious rather than benign.

Type: OpenClaw Skill Name: openclaw-nim-skill Version: 1.0.0 The skill is classified as suspicious due to a critical SSL/TLS vulnerability in `scripts/nim_call.py`. The script explicitly disables SSL certificate verification (`ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE`) when making API calls to `https://integrate.api.nvidia.com`. This flaw makes the skill vulnerable to Man-in-the-Middle (MITM) attacks, potentially allowing an attacker to intercept communications, steal the `NVIDIA_API_KEY`, or inject malicious responses. While the overall intent of the skill appears benign and aligned with its stated purpose, this severe security vulnerability warrants a 'suspicious' classification.