Is d-wwei/openclaw-nim-skill safe?

https://github.com/openclaw/skills/tree/main/skills/d-wwei/openclaw-nim-skill

78
CAUTION

This NVIDIA NIM integration skill provides legitimate functionality for calling external AI models but has a critical SSL security flaw that disables certificate verification. While the core functionality is benign, the disabled SSL verification creates vulnerability to man-in-the-middle attacks.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (3)

CRITICAL SSL Certificate Verification Disabled -60

The Python script disables SSL certificate verification with 'ctx.check_hostname = False' and 'ctx.verify_mode = ssl.CERT_NONE', making API communications vulnerable to man-in-the-middle attacks where attackers could intercept API keys and prompt data.

HIGH User Prompts Sent to External APIs -30

By design, this skill transmits all user prompts to external NVIDIA API servers, which could include sensitive information. Users should be aware that their conversational data leaves the local environment.

MEDIUM API Key Management Required -25

The skill requires users to manage and store NVIDIA API credentials in environment variables, adding complexity and potential for credential exposure if not handled properly.