ClawHub

remote-terminal

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate remote-server administration skill, but it has risky credential handling and broad command authority that users should review carefully before installing.

Install only if you intentionally want an agent to run commands on remote servers. Prefer SSH keys and SSH config aliases, avoid password mode, do not save passwords in hosts.json, keep host-key verification enabled, review every production or multi-host command before execution, and treat the local logs and host inventory as sensitive files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
]
    
    try:
        result = subprocess.run(
            ssh_cmd,
            capture_output=True,
            text=True,
Confidence
88% confidence
Finding
result = subprocess.run( ssh_cmd, capture_output=True, text=True, timeout=60 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
98% confidence
Finding
The skill clearly enables shell execution plus local file read/write behavior (logs and host inventory), yet no explicit permissions are declared. In a remote-terminal skill, this is especially risky because users may not realize it can persist data locally and execute impactful commands, reducing transparency and weakening platform controls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose focuses on remote terminal access, but the content also introduces persistent storage of host metadata, command logging, and password-based execution practices. That mismatch matters because it hides additional data-retention and credential-handling behaviors that materially expand the skill's security and privacy impact.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrases are broad enough to match common admin or troubleshooting requests, which can cause the skill to activate in contexts where users did not intend remote execution tooling. For a skill capable of running remote shell commands, overbroad invocation materially increases the chance of accidental high-impact use.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill immediately presents remote execution and credential-handling workflows without a prominent upfront warning about operational risk, privacy exposure, and possible destructive impact. In a terminal-control context, users should be warned early that commands may affect production systems and that credentials and outputs may be sensitive.

Missing User Warnings

High
Confidence
99% confidence
Finding
The examples explicitly recommend sshpass with plaintext passwords and disabling StrictHostKeyChecking, which enables credential exposure and man-in-the-middle attacks. Presenting these as normal usage patterns in a remote terminal skill normalizes unsafe behavior and makes compromise of remote hosts more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide includes an example that disables SSH host key verification via `StrictHostKeyChecking no` and `UserKnownHostsFile /dev/null`, which makes man-in-the-middle attacks much easier. Although it is labeled 'Not Recommended for Production', it still provides copy-pastable insecure configuration in a remote-terminal skill where users are likely to apply SSH settings directly to real servers.

Missing User Warnings

High
Confidence
99% confidence
Finding
show_host prints every stored field verbatim, including the password when one was saved via --password. In a remote terminal skill, this is especially risky because credentials may be exposed in terminal logs, screenshots, shared sessions, or agent transcripts, enabling immediate unauthorized access to remote systems.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The password-based SSH path uses sshpass with a cleartext password and provides no warning that supplying --password exposes credentials in shell history and process lists. In a remote-terminal skill, this is especially risky because operators may use privileged production credentials, making accidental disclosure materially dangerous.

Ssd 3

Medium
Confidence
94% confidence
Finding
The instruction to log all remote commands with hostnames and timestamps creates a persistent record of potentially sensitive operational data, including infrastructure names, commands, and possibly secrets embedded in commands. In a remote-admin skill, such logs can become a valuable target for attackers or leak sensitive environment details.

Ssd 3

Medium
Confidence
95% confidence
Finding
Persistently storing host information in local memory includes sensitive infrastructure metadata such as hostnames, usernames, tags, and key paths, and the analysis indicates passwords may also be stored. This centralizes targeting information and can expose credentials or facilitate lateral movement if the local environment is compromised.

Unvalidated Output Injection

High
Category
Output Handling
Content
ssh_cmd.append(command)
    
    try:
        result = subprocess.run(
            ssh_cmd,
            capture_output=True,
            text=True,
Confidence
85% confidence
Finding
subprocess.run( ssh_cmd, capture_output

Credential Access

High
Category
Privilege Escalation
Content
"host": "192.168.1.100",
      "user": "admin",
      "method": "ssh-key",
      "key": "~/.ssh/id_rsa",
      "tags": ["web", "critical"]
    },
    "staging": {
Confidence
83% confidence
Finding
~/.ssh/id_rsa

Tool Parameter Abuse

High
Category
Tool Misuse
Content
Before executing dangerous commands, ask the user to confirm:

**Dangerous command patterns:**
- `rm -rf`, `rm -r`, `del`, `erase`
- `shutdown`, `reboot`, `poweroff`, `halt`
- `mkfs`, `fdisk`, `parted`, `dd`
- `chmod 777`, `chown -R`
Confidence
91% confidence
Finding
rm -rf`, `rm -r`, `del`, `erase` - `shutdown`, `reboot`, `poweroff`, `halt` - `mkfs`, `fdisk`, `parted`, `dd` - `chmod 777`, `chown -R` - `> /dev/`, `truncate` - `kill -9`, `pkill`, `killall` - `iptab

Tool Parameter Abuse

High
Category
Tool Misuse
Content
- `DROP DATABASE`, `DELETE FROM`, `TRUNCATE`

**Confirmation format:**
> ⚠️ **Dangerous command detected**: `rm -rf /var/log/*`
> This will permanently delete files. Proceed? (yes/no)

### Command Blacklist
Confidence
90% confidence
Finding
rm -rf /var/log/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
### Command Blacklist

These commands are blocked by default and require explicit user override:
- `rm -rf /` (entire filesystem)
- `mkfs` on mounted drives
- `dd` to primary disk
- Any command piping to `/dev/sda` or similar
Confidence
88% confidence
Finding
rm -rf /

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal