← 返回 Skills 市场
458
总下载
2
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install rocm-vllm-deployment
功能描述
Production-ready vLLM deployment on AMD ROCm GPUs. Combines environment auto-check, model parameter detection, Docker Compose deployment, health verification...
安全使用建议
This skill appears to be a deployment helper and is not obviously malicious, but exercise caution before running it on a sensitive system. Specific actions to consider: 1) Inspect scripts locally (you already have them) before executing. 2) Avoid putting long-lived HF tokens in shell rc files; prefer ephemeral environment variables or a protected .env file with strict permissions. 3) Be aware check-env.sh will source ~/.bashrc (it will execute code from your rc file) and may create an empty ~/.bashrc if missing — run it in a controlled shell first or review/sanitize your rc file. 4) The scripts log the HF_TOKEN prefix and include status in reports stored under $HOME/vllm-compose — treat those files as sensitive. 5) If you want stronger assurance, ask the publisher for a full deployment workflow (the skill includes env-check and report generation but no deployment steps in these scripts) and confirm there are no external network endpoints or installers. If you plan to use this in production, prefer running on an isolated machine or container and store tokens in a secrets manager rather than in shell rc files.
功能分析
Type: OpenClaw Skill
Name: rocm-vllm-deployment
Version: 1.0.0
The skill is classified as suspicious due to two main vulnerabilities. First, `scripts/check-env.sh` sources `~/.bashrc`, which could lead to arbitrary code execution if the user's `.bashrc` file is already compromised. Second, `scripts/generate-report.sh` embeds user-controlled parameters (e.g., `model-id`, `port`) directly into shell commands within the generated `DEPLOYMENT_REPORT.md`. If an AI agent or user were to blindly execute these commands from the report with specially crafted input, it could lead to command injection. While the skill itself does not exhibit clear malicious intent like data exfiltration or unauthorized persistence, these risky capabilities warrant a 'suspicious' classification.
能力评估
Purpose & Capability
The skill claims to prepare and report on vLLM deployments and includes two helper scripts that match that scope (environment check and report generation). However the registry metadata declares no required env vars while the SKILL.md and scripts clearly expect HF_TOKEN and HF_HOME (optional). There is also a small inconsistency: SKILL.md advises sourcing ~/.bash_profile but check-env.sh actually sources ~/.bashrc.
Instruction Scope
check-env.sh sources the user's ~/.bashrc (executing arbitrary shell code from the user's rc file) and will create ~/.bashrc if missing. Both check-env.sh and generate-report.sh echo a truncated HF_TOKEN (first 10 characters) into stdout/logs and the generated report, which means sensitive token material can be written into deployment logs and DEPLOYMENT_REPORT.md under $HOME/vllm-compose/<model-id> — a potential secret-leakage risk. Aside from that, the scripts do not perform network calls or write to unexpected remote endpoints.
Install Mechanism
Instruction-only skill with no install spec and no external downloads. The scripts live in the skill directory and nothing in the manifest creates or executes external installers — low install risk.
Credentials
Requesting HF_TOKEN and HF_HOME is appropriate for interacting with HuggingFace models, but the skill/README/manifest mismatch (registry says no required env vars) is confusing. More importantly, the scripts log the token prefix and include token status in generated reports, which is disproportionate handling of a secret. The skill does not ask for unrelated credentials.
Persistence & Privilege
The skill does not request elevated platform privileges or set always:true. It does write under $HOME/vllm-compose/<model-id>/ and will touch/create ~/.bashrc if absent — this is modest persistence in the user's home directory and should be expected for a deployment helper but is worth noting.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install rocm-vllm-deployment - 安装完成后,直接呼叫该 Skill 的名称或使用
/rocm-vllm-deployment触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release - Deploy vLLM on AMD ROCm GPUs
元数据
常见问题
ROCm vLLM Deployment 是什么?
Production-ready vLLM deployment on AMD ROCm GPUs. Combines environment auto-check, model parameter detection, Docker Compose deployment, health verification... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 458 次。
如何安装 ROCm vLLM Deployment?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install rocm-vllm-deployment」即可一键安装,无需额外配置。
ROCm vLLM Deployment 是免费的吗?
是的,ROCm vLLM Deployment 完全免费(开源免费),可自由下载、安装和使用。
ROCm vLLM Deployment 支持哪些平台?
ROCm vLLM Deployment 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 ROCm vLLM Deployment?
由 alexhegit(@alexhegit)开发并维护,当前版本 v1.0.0。
推荐 Skills