Billy — SAPCONET SSH Bridge
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is a clear SSH bridge, but its message template can let specially crafted message text run unintended commands on the SAPCONET host.
Only install this if you trust the SAPCONET target and understand it will run SSH commands with your account. Avoid using the message script with untrusted text until it is changed to safely quote or pass messages without remote shell interpolation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent passes untrusted or crafted message text into this script, it could run commands on the SAPCONET host using the user's SSH privileges.
The script inserts the message directly into a shell command executed by ssh on the remote host. A message containing a single quote and shell separators can break out of the echo string and execute unintended remote commands.
ssh "${SAPCONET_TARGET}" "echo 'TODO: send inbox message: ${MESSAGE}'"Do not interpolate raw message text into a remote shell command. Pass the message over stdin or apply robust shell quoting, and require user review before sending automated messages.
Running the scripts may connect as the configured SSH user and perform actions with that account's permissions.
The scripts default to an SSH target and will likely rely on the user's existing SSH credentials or agent to authenticate. This is expected for an SSH bridge, but it grants remote account authority when run.
SAPCONET_TARGET="${SAPCONET_TARGET:-neill@100.110.24.44}"Verify the target host and username before running, set SAPCONET_TARGET explicitly, and use a scoped SSH key or account where possible.
Users have less context for verifying the skill's origin and may not realize it depends on local SSH tooling.
The registry context provides no upstream source or homepage, and the metadata does not declare the ssh runtime even though the included scripts invoke ssh. This is not malicious by itself, but it reduces provenance and runtime clarity.
Source: unknown; Homepage: none; Required binaries (all must exist): none
Document the source, declare ssh as a required binary, and review the included scripts before use.