ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SAPCONET SSH Bridge

v0.1.0

Standard SAPCONET SSH command templates for bird reads, Puppeteer runs, and inbox messaging workflows.

0· 410·1 current·1 all-time
by@highlander89
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description say the skill standardizes SSH command patterns for bird reads, Puppeteer checks, and inbox messaging; the included scripts only use SSH to run placeholder commands on a remote host, which is coherent with the stated purpose. Minor mismatch: the metadata lists no required env vars, but the scripts rely on SAPCONET_TARGET (with a default neill@100.110.24.44).
Instruction Scope
SKILL.md and scripts confine activity to SSH calls to the target host; there are no other network calls or local file reads. However, remote commands executed over SSH can run arbitrary work on the target host (the scripts currently contain placeholders). The SKILL.md warning to review remote placeholders is appropriate; users should verify remote commands before running.
Install Mechanism
No install spec (instruction-only) and only two bash scripts are included. Nothing will be downloaded or written by an installer — low install risk.
Credentials
The skill requests no declared credentials or env vars in the registry metadata, but runtime instructions and scripts require SAPCONET_TARGET (and in practice system SSH keys/agent or password access). This is proportionate to an SSH template but should be declared explicitly; the hard-coded default target IP/user is an unexplained element that the user must replace.
Persistence & Privilege
always is false, the skill does not request persistent or elevated platform privileges, and it does not modify other skills or global configuration.
Assessment
This skill is basically two SSH wrapper scripts and is coherent with its stated purpose, but before installing or running it you should: 1) manually inspect both scripts (they contain placeholders that become remote commands); 2) replace the default SAPCONET_TARGET (neill@100.110.24.44) with a host you control/trust; 3) ensure your SSH keys/agent are configured rather than entering credentials inline; 4) avoid allowing the agent to autonomously execute these scripts against external hosts unless you explicitly trust the target; and 5) ask the publisher for provenance (source/homepage) if you need accountability — the registry metadata lists no homepage and an unknown owner.

Like a lobster shell, security has layers — review code before you run it.

latestvk971b5zawxwrfn0sd8k5tezs7h81w7as

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments