NVIDIA NIM Provider

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward NVIDIA API helper that uses a configured API key to fetch model metadata, with no evidence of hidden file access, persistence, or destructive behavior.

Before installing, treat this as a networked community code plugin: only use a NVIDIA API key you are comfortable giving to OpenClaw configuration, understand that model-list requests are sent to NVIDIA with that key, and verify the publisher/source if you require stronger provenance.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The manifest explicitly advertises real-time access to external NVIDIA APIs and requires an API key, but it does not disclose network transmission, external data handling, or credential-use expectations to the user in a warning or consent-oriented way. This creates a genuine transparency and privacy/security risk because users may provide sensitive prompts or credentials without clear notice that data will be sent to a third-party service.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal