vastai-security-basics
Apply Vast.ai security best practices for API keys and instance access. Use when securing API keys, hardening SSH access to GPU instances, or auditing Vast.ai security configuration. Trigger with phrases like "vastai security", "vastai secrets", "secure vastai", "vastai API key security", "vastai ssh security".
Best use case
vastai-security-basics is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Apply Vast.ai security best practices for API keys and instance access. Use when securing API keys, hardening SSH access to GPU instances, or auditing Vast.ai security configuration. Trigger with phrases like "vastai security", "vastai secrets", "secure vastai", "vastai API key security", "vastai ssh security".
Teams using vastai-security-basics should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/vastai-security-basics/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How vastai-security-basics Compares
| Feature / Agent | vastai-security-basics | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Apply Vast.ai security best practices for API keys and instance access. Use when securing API keys, hardening SSH access to GPU instances, or auditing Vast.ai security configuration. Trigger with phrases like "vastai security", "vastai secrets", "secure vastai", "vastai API key security", "vastai ssh security".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Vast.ai Security Basics
## Overview
Security best practices for Vast.ai API keys, SSH access to GPU instances, data protection on rented hardware, and credential management. Vast.ai instances run as root on shared hardware, requiring careful attention to data lifecycle.
## Prerequisites
- Vast.ai account with API key
- Understanding of SSH key management
- Secrets manager available (optional but recommended)
## Instructions
### Step 1: API Key Management
```bash
# Never commit API keys to git
echo '.vast_api_key' >> .gitignore
echo '.env' >> .gitignore
# Use environment variables, not files in repos
export VASTAI_API_KEY="$(vault kv get -field=api_key secret/vastai)"
# Rotate keys periodically at cloud.vast.ai > Account > API Keys
```
```python
# Fail fast on missing credentials
import os
def get_api_key():
key = os.environ.get("VASTAI_API_KEY")
if not key:
key_file = os.path.expanduser("~/.vast_api_key")
if os.path.exists(key_file):
key = open(key_file).read().strip()
if not key:
raise ValueError("VASTAI_API_KEY not set and ~/.vast_api_key not found")
return key
```
### Step 2: SSH Key Security
```bash
# Generate a dedicated key pair for Vast.ai instances
ssh-keygen -t ed25519 -f ~/.ssh/vastai_key -C "vastai-instances" -N ""
# Upload public key at cloud.vast.ai > Account > SSH Keys
# Use the dedicated key for connections
ssh -i ~/.ssh/vastai_key -p PORT root@HOST
```
### Step 3: Data Protection on Shared Hardware
```python
def secure_cleanup(instance_id, ssh_host, ssh_port):
"""Securely wipe data before destroying an instance."""
import subprocess
# Overwrite sensitive files before instance destruction
subprocess.run([
"ssh", "-p", str(ssh_port), "-o", "StrictHostKeyChecking=no",
f"root@{ssh_host}",
"rm -rf /workspace/data /workspace/checkpoints /root/.ssh/authorized_keys; "
"history -c"
], check=True)
# Then destroy
subprocess.run(["vastai", "destroy", "instance", str(instance_id)], check=True)
```
### Step 4: Network Security
- Use SSH tunnels for any services exposed on instances
- Never expose ports with sensitive data to the public internet
- Transfer data over SCP/SFTP, not unencrypted HTTP
- Encrypt training data before upload; decrypt on-instance
### Step 5: Credential Rotation Checklist
- [ ] API key rotated every 90 days
- [ ] SSH keys dedicated to Vast.ai (not shared with production)
- [ ] Old SSH keys removed from cloud.vast.ai after rotation
- [ ] `.vast_api_key` file permissions set to `600`
- [ ] No API keys in shell history (`export` from a sourced file, not typed)
## Output
- API key loaded from environment or secrets manager
- Dedicated SSH key pair for Vast.ai instances
- Secure cleanup before instance destruction
- Network security guidelines
- Credential rotation checklist
## Error Handling
| Error | Cause | Solution |
|-------|-------|----------|
| API key leaked in git | Committed `.env` or key file | Rotate key immediately; add to `.gitignore` |
| SSH key rejected | Wrong key or not uploaded | Verify key is at cloud.vast.ai > SSH Keys |
| Data left on destroyed instance | Forgot to clean up | Use `secure_cleanup()` before destroy |
| Key file world-readable | Wrong permissions | `chmod 600 ~/.vast_api_key ~/.ssh/vastai_key` |
## Resources
- [Vast.ai CLI Security](https://docs.vast.ai/cli/get-started)
- [SSH Key Management](https://docs.vast.ai/api-reference/introduction)
## Next Steps
For production deployment checklist, see `vastai-prod-checklist`.
## Examples
**Vault integration**: Load API key from HashiCorp Vault at runtime, never write to disk, and use SSH agent forwarding for key management.
**Ephemeral instances**: Treat every Vast.ai instance as throwaway. Never store persistent state on instances; always upload data, process, download results, and destroy.Related Skills
performing-security-testing
Test automate security vulnerability testing covering OWASP Top 10, SQL injection, XSS, CSRF, and authentication issues. Use when performing security assessments, penetration tests, or vulnerability scans. Trigger with phrases like "scan for vulnerabilities", "test security", or "run penetration test".
checking-session-security
Analyze session management implementations to identify security vulnerabilities in web applications. Use when you need to audit session handling, check for session fixation risks, review session timeout configurations, or validate session ID generation security. Trigger with phrases like "check session security", "audit session management", "review session handling", or "session fixation vulnerability".
finding-security-misconfigurations
Configure identify security misconfigurations in infrastructure-as-code, application settings, and system configurations. Use when you need to audit Terraform/CloudFormation templates, check application config files, validate system security settings, or ensure compliance with security best practices. Trigger with phrases like "find security misconfigurations", "audit infrastructure security", "check config security", or "scan for misconfigured settings".
responding-to-security-incidents
Analyze and guide security incident response, investigation, and remediation processes. Use when you need to handle security breaches, classify incidents, develop response playbooks, gather forensic evidence, or coordinate remediation efforts. Trigger with phrases like "security incident response", "ransomware attack response", "data breach investigation", "incident playbook", or "security forensics".
analyzing-security-headers
Analyze HTTP security headers of web domains to identify vulnerabilities and misconfigurations. Use when you need to audit website security headers, assess header compliance, or get security recommendations for web applications. Trigger with phrases like "analyze security headers", "check HTTP headers", "audit website security headers", or "evaluate CSP and HSTS configuration".
generating-security-audit-reports
Generate comprehensive security audit reports for applications and systems. Use when you need to assess security posture, identify vulnerabilities, evaluate compliance status, or create formal security documentation. Trigger with phrases like "create security audit report", "generate security assessment", "audit security posture", or "PCI-DSS compliance report".
workhuman-security-basics
Workhuman security basics for employee recognition and rewards API. Use when integrating Workhuman Social Recognition, or building recognition workflows with HRIS systems. Trigger: "workhuman security basics".
wispr-security-basics
Wispr Flow security basics for voice-to-text API integration. Use when integrating Wispr Flow dictation, WebSocket streaming, or building voice-powered applications. Trigger: "wispr security basics".
windsurf-security-basics
Apply Windsurf security best practices for workspace isolation, data privacy, and secret protection. Use when securing sensitive code from AI indexing, configuring telemetry, or auditing Windsurf security posture. Trigger with phrases like "windsurf security", "windsurf secrets", "windsurf privacy", "windsurf data protection", "codeiumignore".
webflow-security-basics
Apply Webflow API security best practices — token management, scope least privilege, OAuth 2.0 secret rotation, webhook signature verification, and audit logging. Use when securing API tokens, implementing least privilege access, or auditing Webflow security configuration. Trigger with phrases like "webflow security", "webflow secrets", "secure webflow", "webflow API key security", "webflow token rotation".
vercel-security-basics
Apply Vercel security best practices for secrets, headers, and access control. Use when securing API keys, configuring security headers, or auditing Vercel security configuration. Trigger with phrases like "vercel security", "vercel secrets", "secure vercel", "vercel headers", "vercel CSP".
veeva-security-basics
Veeva Vault security basics for REST API and clinical operations. Use when working with Veeva Vault document management and CRM. Trigger: "veeva security basics".