Skillv1.0.0

ClawScan security

VPS Command Runner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 9:10 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's scripts do what the name promises (run SSH commands across VPS), but the package metadata omits required binaries/credentials and the instructions encourage storing plaintext passwords and disabling host key checking — these mismatches and insecure practices are concerning.
Guidance: This skill will run arbitrary SSH commands on multiple servers, which fits its purpose, but it currently encourages insecure practices: it asks you to hardcode a username/password in the scripts, uses sshpass, and disables SSH host-key checking. Before installing or using it: (1) do not paste real passwords into these files — remove PASS and use SSH key auth or an SSH agent; (2) prefer key-based auth (ssh -i /path/to/key) and use ssh-copy-id to deploy keys; (3) re-enable host key checking or explicitly manage known_hosts to avoid MITM risk; (4) validate or install required binaries (ssh, sshpass if you insist, docker) and update the skill metadata to declare them; (5) inspect and run the scripts in a safe environment (non-production) first; (6) consider using established tools (Ansible, parallel-ssh) that handle credentials and auditing more securely. If you cannot or will not change the scripts to use keys and proper host verification, treat this skill as unsafe for production credentials or sensitive servers.

Review Dimensions

Purpose & Capability: concernName/description: manage multiple VPS via SSH — matches the included scripts which run remote commands and check status. However the registry metadata declares no required binaries or credentials while the scripts rely on ssh, sshpass and docker being available and require a username/password. Omitting those requirements in metadata is an incoherence and reduces visibility for users.
Instruction Scope: concernSKILL.md and scripts instruct the user to insert USER and PASS directly into script files (plaintext credentials), use sshpass, and use '-o StrictHostKeyChecking=no' which suppresses host key verification. Scripts also read local system files (hostname, /proc/loadavg) and run docker commands locally and remotely — these are plausible for a health-check tool but the instructions give broad discretion and encourage insecure credential handling.
Install Mechanism: noteThere is no install spec (instruction-only), which is low friction and expected for simple script bundles. However the scripts call sshpass, ssh and docker without declaring them; the skill does not provide guidance to install these tools or validate their presence. That's a usability and safety gap but not an explicit supply-chain risk.
Credentials: concernThe skill requests that users place credentials (PASSWORD) directly into scripts rather than using declared environment variables, secrets, or SSH keys. No environment variables are declared in metadata despite the need for sensitive credentials — this is disproportionate and increases risk of accidental credential leakage.
Persistence & Privilege: okalways:false and user-invocable:true — the skill does not request permanent or privileged presence in the agent. It does not modify other skills or system-wide config. This aspect is appropriate.