Add security warning for verify_ssl=False in docs and docstring

kylexqian · claude · kylexqian · commit 1aceb7261bab · 2026-03-13T01:08:49.000-07:00
Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/docs/CLAUDE_SDK_USERS.md b/docs/CLAUDE_SDK_USERS.md
@@ -41,7 +41,10 @@ Each service has its own client class:
 llm = og.LLM(private_key="0x...")
 
 # Connect directly to a known TEE IP instead of using the on-chain registry.
-# Set verify_ssl=False when the server uses a self-signed certificate.
+# WARNING: verify_ssl=False disables TLS certificate verification and exposes
+# the connection to man-in-the-middle attacks. Only use this when you trust
+# the network path to the server. Never use in production without understanding
+# the risks.
 llm = og.LLM(private_key="0x...", llm_server_url="https://1.2.3.4", verify_ssl=False)
 
 # On-chain model inference (OpenGradient testnet gas tokens)
diff --git a/src/opengradient/client/llm.py b/src/opengradient/client/llm.py
@@ -80,6 +80,14 @@ class LLM:
         verify_ssl (bool): Whether to verify the server's TLS certificate.
             Defaults to ``True``. Set to ``False`` when connecting directly via
             ``llm_server_url`` to a TEE with a self-signed certificate.
+
+            .. warning::
+                Disabling SSL verification (``verify_ssl=False``) removes
+                protection against man-in-the-middle attacks. Only use this
+                when you trust the network path to the TEE and have verified
+                the server identity through another means (e.g. the on-chain
+                registry). Never use in production without understanding the
+                risks.
     """
 
     def __init__(
