Ssh Essentials
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only SSH reference, but it includes powerful SSH options that can affect credentials, remote systems, tunnels, and file deletion if used carelessly.
This skill appears safe as an SSH command reference, with no code or install step. Before using it, treat the examples as powerful commands: avoid agent forwarding and StrictHostKeyChecking=no unless you understand the risk, run rsync --dry-run before delete syncs, and stop any background tunnels when finished.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If agent forwarding is used with an untrusted or compromised host, that host may be able to request authentication using your loaded SSH keys during the session.
The skill explicitly documents use of local SSH identities and agent forwarding. This is expected for an SSH skill, but it delegates authentication capability to chosen remote hosts.
ssh -A user@hostname ... IdentityFile ~/.ssh/id_prod ForwardAgent yes
Use agent forwarding only for trusted hosts, prefer per-host keys, use key passphrases and limited ssh-agent lifetimes, and confirm the destination before connecting.
Using this option can make it easier to connect to the wrong server or fall for a man-in-the-middle attack.
The guide includes an example that disables SSH host-key verification. This is a known SSH option and is disclosed, but it can weaken server identity checks if copied without understanding the tradeoff.
ssh -o "StrictHostKeyChecking=no" myserver
Avoid disabling host-key checking unless you have a specific, temporary reason and can verify the server identity another way.
A mistaken source, destination, or delete sync could remove files on a remote system.
The skill documents rsync mirroring with --delete, which can propagate local deletions to a remote directory. This is purpose-aligned for file synchronization but can have broad impact if paths are wrong.
rsync -avz --delete /local/dir/ user@hostname:/remote/dir/
Use --dry-run first, confirm both paths and hostnames, and keep backups before running destructive sync commands.
A background tunnel may keep exposing or forwarding a local or remote service until it is stopped.
The guide includes a background SSH tunnel command. Background tunnels are expected in SSH tunneling guidance, but they can continue running after the immediate task.
ssh -f -N -L 8080:localhost:80 user@hostname
Track background SSH processes, close tunnels when no longer needed, and avoid forwarding sensitive services unless necessary.
Some examples may fail or require extra local tools that are not declared in the registry requirements.
The runtime instructions reference several helper binaries, while the registry metadata declares only ssh as required. This is a dependency declaration gap for an instruction-only skill, not evidence of hidden code.
ssh-keygen -t ed25519 -C "your_email@example.com" ssh-copy-id user@hostname ssh-add ~/.ssh/id_rsa rsync -avz /local/dir/ user@hostname:/remote/dir/
Confirm each command is available and intended before use; the skill metadata should ideally list optional helper tools used by the examples.