Ssh Tool
PassAudited by VirusTotal on May 3, 2026.
Overview
Type: OpenClaw Skill Name: ssh-tool Version: 1.0.0 The skill provides a direct wrapper for the system 'ssh' command in scripts/ssh.py, enabling remote command execution and port forwarding as described in SKILL.md. While no explicitly malicious intent is found, the implementation lacks any input sanitization or restriction on SSH flags, which could allow for local command execution via argument injection (e.g., using -oProxyCommand). Providing an AI agent with unrestricted SSH access is a high-risk capability that could be easily abused.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with your SSH access, the agent could run commands on remote systems with your privileges; mistakes could change, delete, or expose remote data.
The wrapper passes the selected host and all command arguments directly to ssh. That is purpose-aligned, but it exposes broad remote command execution without an artifact-level host allowlist, command policy, approval step, or containment.
cmd = ['ssh', args.host] + (args.cmd or []) subprocess.run(cmd)
Use only with explicit user-reviewed host and command inputs. Prefer a dedicated low-privilege SSH key/account, restrict allowed hosts, and add confirmation for remote commands.
The agent may authenticate as you to reachable SSH hosts and inherit whatever permissions your account or loaded SSH keys have.
The skill explicitly relies on SSH credentials, but the metadata declares no primary credential or required config paths, and the artifacts do not bound which local SSH keys, agent identities, or account privileges may be used.
- Authenticate with password or SSH keys
Document the credential behavior, use dedicated restricted keys, avoid broad production keys in the SSH agent, and require user approval before using privileged identities.
The skill may fail if ssh is unavailable, or it may use whatever ssh binary appears first on the user's PATH.
The included code depends on the system ssh binary, while the provided requirements list no required binaries and the source/homepage are unknown. This is a dependency/provenance gap, not evidence of malicious behavior.
cmd = ['ssh', args.host] + (args.cmd or [])
Declare ssh as a required binary, provide clear source/provenance, and verify the local ssh binary before use.