ClawHub

Catfee Ssh

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about being an SSH helper, but it gives an agent broad password-based control over remote servers without enough guardrails.

Install only if you intentionally want an agent to operate servers over SSH. Use a least-privilege account instead of root, prefer SSH keys where possible, verify the SSH host fingerprint before connecting, and require explicit approval before any sudo, restart, reload, file write, deletion, or other state-changing command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example trigger phrase is broad and closely resembles ordinary user requests for server help, which can cause the skill to activate in situations where the user did not intend to provide or use SSH credentials. In this skill, accidental activation is more dangerous than usual because the skill is explicitly designed to collect passwords and perform arbitrary remote command execution on servers.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly includes commands that can reload services and restart Docker on a remote host, but the description and safety notes do not clearly warn that the skill can make service-affecting changes. This increases the chance of unsafe or unexpected use, especially when invoked for routine diagnostics but capable of causing outages on production systems.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill is designed around accepting a user-supplied SSH password and using it for remote authentication, yet the description does not provide a clear privacy/security warning about handling highly sensitive credentials. Without prominent disclosure and handling guidance, users may expose passwords in unsafe contexts, logs, or transcripts, and operators may underestimate the sensitivity of this workflow.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The description says the SSH skill should activate whenever a user provides an IP, username, and password, and then broadly allows command execution, configuration viewing, diagnostics, and file operations. For a credential-handling remote-access skill, overly broad invocation criteria can cause the agent to select it in situations where the user did not clearly intend remote execution, increasing the chance of unsafe or unauthorized actions on production systems.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal