Ssh Tool
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a simple SSH wrapper, but it can let the agent use your SSH access to run remote commands without clear host, command, or credential boundaries.
Install only if you intend to let the agent initiate SSH sessions. Review every host and command before execution, use restricted SSH keys or accounts, avoid broad production credentials, and verify the local ssh binary and PATH.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with your SSH access, the agent could run commands on remote systems with your privileges; mistakes could change, delete, or expose remote data.
The wrapper passes the selected host and all command arguments directly to ssh. That is purpose-aligned, but it exposes broad remote command execution without an artifact-level host allowlist, command policy, approval step, or containment.
cmd = ['ssh', args.host] + (args.cmd or []) subprocess.run(cmd)
Use only with explicit user-reviewed host and command inputs. Prefer a dedicated low-privilege SSH key/account, restrict allowed hosts, and add confirmation for remote commands.
The agent may authenticate as you to reachable SSH hosts and inherit whatever permissions your account or loaded SSH keys have.
The skill explicitly relies on SSH credentials, but the metadata declares no primary credential or required config paths, and the artifacts do not bound which local SSH keys, agent identities, or account privileges may be used.
- Authenticate with password or SSH keys
Document the credential behavior, use dedicated restricted keys, avoid broad production keys in the SSH agent, and require user approval before using privileged identities.
The skill may fail if ssh is unavailable, or it may use whatever ssh binary appears first on the user's PATH.
The included code depends on the system ssh binary, while the provided requirements list no required binaries and the source/homepage are unknown. This is a dependency/provenance gap, not evidence of malicious behavior.
cmd = ['ssh', args.host] + (args.cmd or [])
Declare ssh as a required binary, provide clear source/provenance, and verify the local ssh binary before use.