Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
ssh-lab
Security checks across static analysis, malware telemetry, and agentic risk
Overview
ssh-lab looks like a real SSH/GPU server tool, but it gives an agent broad SSH power over configured servers and includes one unsafe shell-based SSH config lookup.
Treat this like giving the agent an SSH terminal. Install only if you intend it to use your SSH access, preferably with a limited SSH config/key. Review all `run`, `sync`, and `all` operations before execution, use rsync dry-run first, and consider patching the `ssh -G` lookup to avoid shell-string execution.
Static analysis
Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If invoked, the tool can act with the user's SSH privileges on configured remote servers and may expose command output, logs, or file contents to the agent session.
Why it was flagged
This explicitly uses local SSH profile/credential material and delegated remote account access. The supplied registry metadata declares no primary credential, required config path, or required binary, so the high-impact permission boundary is under-declared.
Skill content
The CLI reads `~/.ssh/config` automatically ... Uses native `ssh` — inherits user's config, keys, ProxyJump
Recommendation
Use only with a dedicated, least-privilege SSH config/key and trusted hosts. The skill metadata should declare native SSH/rsync requirements and the `~/.ssh/config`/SSH-key dependency.
What this means
A mistaken or overly broad agent/tool call could run destructive or sensitive commands across multiple servers with the user's SSH permissions.
Why it was flagged
This allows arbitrary user-supplied remote commands and can fan them out to all resolved hosts. That is coherent for an SSH workbench, but it is broad mutation authority without an artifact-backed approval gate, allowlist, or safer default workflow.
Skill content
`ssh-lab run <host|all> <command...>` ... Supports `all` for parallel execution across all hosts.
Recommendation
Require explicit user confirmation for `run`, `sync`, and any `all` target; avoid broad all-host operations unless intentional; prefer read-only status commands when possible.
What this means
A malicious or compromised SSH config entry could potentially cause unintended local command execution when the tool enumerates hosts.
Why it was flagged
String-form `execSync` invokes a shell. If `alias` is not strictly validated or escaped, a crafted SSH host alias could inject local shell syntax during host discovery.
Skill content
const output = execSync(`ssh -G ${alias} 2>/dev/null`, {Recommendation
Replace shell-string `execSync` with `execFileSync`/`spawn` argument arrays such as `ssh`, `['-G', alias]`, and validate host aliases before use.
What this means
Users have less registry-level provenance and requirement checking before granting the skill SSH-administration capabilities.
Why it was flagged
The artifacts include package files and a lockfile, but registry provenance and install requirements are incomplete for a tool that needs Node, native SSH, and rsync for sync.
Skill content
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill.
Recommendation
Install only from a trusted source, inspect the included code/lockfile, and update metadata to declare the source, homepage, required binaries, and build steps.
What this means
SSH sessions or socket files may remain reusable after an individual command, depending on SSH behavior and cleanup.
Why it was flagged
The tool deliberately uses persistent SSH ControlMaster sockets. This is disclosed and purpose-aligned for performance, but it is still persistent connection state users should understand.
Skill content
Persistent SSH connections via `/tmp/ssh-lab-%r@%h:%p` sockets; auto-cleanup detects stale sockets
Recommendation
Use on trusted machines, monitor/clean ControlMaster sockets when needed, and document the persistence lifetime clearly.