ClawHub

Wish Ssh Code Review

v2.3.0

Reviews Wish SSH server code for proper middleware, session handling, and security patterns. Use when reviewing SSH server code using charmbracelet/wish.

0· 80·0 current·0 all-time
byKevin Anderson@anderskev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Wish SSH Code Review) match the provided checklist and reference documents. The skill is instruction-only and does not request unrelated binaries, env vars, or access to external services.
Instruction Scope
SKILL.md and reference files contain guidance and example Go snippets for reviewing server setup, middleware order, session handling, timeouts, and BubbleTea integration. The instructions do not direct the agent to read host machine files, exfiltrate data, or contact any external endpoints — they only tell the reviewer what to look for in code.
Install Mechanism
No install spec or code files are present; this is lowest-risk (instruction-only). There are no downloads or extracted artifacts.
Credentials
The skill requires no environment variables or credentials. Example snippets reference common runtime things (e.g., os.Getenv in a discouraged password example) but the skill itself does not request secrets or configs.
Persistence & Privilege
Flags show default behavior (not always: true), and there is no installation or persistent component modifying agent/system settings. Autonomous invocation is allowed (platform default) but is not combined with other concerning privileges.
Assessment
This skill is a coherent, instruction-only code-review checklist for wish-based SSH servers. Before installing or trusting automated reviews, consider: (1) the skill contains example code that mentions insecure patterns (e.g., password auth using os.Getenv) — those are examples to flag, not to enable; (2) ensure your reviewers (human or automated) check for host key persistence and proper file permissions and do not copy insecure snippets verbatim; (3) the docs mention running an HTTP health endpoint — if present in your codebase, verify it is not exposing sensitive data or left unauthenticated; (4) because this is instruction-only, no code was scanned — if you want deeper assurance, run the checklist against your actual repository and inspect any middleware that accesses environment variables, external telemetry/metrics, or arbitrary network endpoints. Overall the skill appears benign and appropriate for the stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b26282ttrwdrhk7nay675x183cdxz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments