Scp Tool
PassAudited by ClawScan on May 2, 2026.
Overview
This is a simple SCP file-transfer skill whose sensitive behavior is mostly expected for its purpose, but users should notice it can move files over SSH using their existing access.
This appears to be a straightforward SCP wrapper. Before installing or using it, confirm that you trust the local scp binary, review the exact source and destination, and remember that transfers may use your existing SSH access.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong paths or host, files could be copied to or from a remote system.
The script delegates to the system scp command with user-supplied source and destination paths. This is expected for the skill, but it is still a broad file-transfer capability.
subprocess.run(['scp', args.src, args.dst])
Only use it with destinations and sources you trust, and review the exact transfer command before sending sensitive files.
Transfers may use your existing SSH access to remote machines.
SSH-based copying normally acts through the user's SSH account, keys, config, or agent. That is purpose-aligned, but the artifacts do not spell out credential scope.
Copy files between local and remote systems using SSH encryption.
Make sure your SSH configuration and destination host are intended for the transfer, and avoid granting the agent access to SSH credentials you do not want it to use.
The skill may fail or behave differently depending on the local scp binary available on the system.
The script calls scp, so the metadata under-declares an external binary dependency. This is a packaging/disclosure issue rather than evidence of malicious behavior.
Required binaries (all must exist): none
Confirm that a trusted OpenSSH scp executable is installed and available in PATH before using the skill.
Some documented examples or options may not work as expected.
The documentation advertises options, but the included script only defines src and dst positional arguments. This is a capability mismatch, not a clear security issue.
Options - `-r`: Recursively copy directories - `-P port`: Specify SSH port - `-C`: Enable compression for faster transfer - `-v`: Verbose mode for debugging
Treat the implementation as a minimal two-argument scp wrapper unless the package provides another executable not shown here.