ClawHub

Sshtunnel

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says by exposing SSH through a tunnel, but its instructions create public remote-access paths with several under-disclosed security risks.

Review this carefully before installing. Only use it on a machine where you intentionally want SSH exposed to the public internet, prefer key-only SSH with password login disabled, avoid the MySQL/arbitrary-port examples unless you fully understand the exposure, and do not run the pipe-to-shell installers or TLS-disabled sample code without independent verification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill is described as exposing an existing local SSH service, but these instructions expand its scope into installing and enabling a new SSH server. That materially increases attack surface by turning a host that may not have been running SSH into an internet-reachable SSH endpoint, which is especially risky in a tunneling skill whose primary effect is public exposure.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The advanced usage section broadens the skill from SSH exposure to forwarding arbitrary TCP services such as MySQL. This scope creep is dangerous because users may expose sensitive database ports to the public internet under a skill marketed as SSH-specific, increasing the chance of unintended service exposure and weakly secured non-SSH protocols being published.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill branding and description present it as SSH-specific, but the documented CLI and examples encourage exposing non-SSH services too. This mismatch can mislead users and downstream agents about the real capability of the tool, causing broader public exposure than intended.

Missing User Warnings

High
Confidence
95% confidence
Finding
The description advertises convenience and 'perfect isolation' but does not prominently warn that the skill exposes a local SSH service to the public internet. In this context, omission is security-significant because users may enable remote access from behind NAT/firewall specifically because they assume the network boundary remains protective.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The installation instructions pipe a remotely fetched script directly into a shell without any warning or verification guidance. This creates a direct code-execution path from a third-party server and is especially dangerous in agent contexts, where users may follow documentation automatically or without reviewing the script contents.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The instructions tell users to modify ~/.ssh/config but do not warn about the persistence and scope of that change. A wildcard host rule with a ProxyCommand affects future SSH behavior for matching hosts and can unintentionally route connections through the tunnel helper, creating security and troubleshooting risks.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The Python example explicitly disables TLS certificate and hostname verification by setting check_hostname to false and verify_mode to CERT_NONE. That permits man-in-the-middle interception or impersonation of the tunnel endpoint, undermining the security guarantees of the SSH-over-TLS design and normalizing insecure copy-paste code.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal