Skills
skills/d-wwei/openclaw-nim-skill/nim/Gen Agent Trust Hub

nim

Warn

Audited by Gen Agent Trust Hub on Mar 9, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [DATA_EXFILTRATION]: The script scripts/nim_call.py contains code that explicitly disables SSL certificate verification by setting ctx.check_hostname = False and ctx.verify_mode = ssl.CERT_NONE. This insecure configuration allows the NVIDIA_API_KEY and all processed data to be intercepted by malicious actors during transmission to NVIDIA's servers.
  • [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by proxying untrusted user data to external language models.
  • Ingestion points: User-provided prompts are ingested via command-line arguments in scripts/nim_call.py and passed to the API.
  • Boundary markers: No delimiters or safety instructions are used to isolate user input within the API request payload.
  • Capability inventory: The script performs network operations to external APIs and returns the generated content to the user's terminal.
  • Sanitization: No input validation or output filtering is implemented to prevent malicious instructions from being executed by the external model or returned to the host agent.
  • [EXTERNAL_DOWNLOADS]: The skill communicates with the official NVIDIA NIM API endpoint at integrate.api.nvidia.com to perform inference tasks.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 9, 2026, 06:41 AM