MCP SSH Manager

Security checks across malware telemetry and agentic risk

Overview

This SSH management skill appears purpose-aligned, but it gives an agent broad remote administration powers with limited safety scoping and local data-handling guidance.

Install only if you intend to let the agent administer trusted SSH hosts. Use least-privilege accounts, confirm every sudo, sync, restore, tunnel, service restart, and session-closing action, and treat saved workdir outputs as sensitive infrastructure data that should be protected, redacted, and cleaned up when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (13)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill clearly instructs the agent to use shell-like command execution and local filesystem operations, but the manifest declares no explicit permissions or guardrails. This creates a capability/permission gap where a consumer may not realize the skill can execute remote commands, transfer files, and write local artifacts, increasing the chance of unsafe or unauthorized use.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The script's comments and messaging strongly imply that it captures real server status over SSH/MCP, but it only writes a placeholder JSON template and prints a minimal local status object. In a remote server management skill, this can mislead operators or downstream automation into trusting fabricated monitoring data, causing missed outages, failed incident response, or unsafe operational decisions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documents powerful operations such as command execution, sudo, upload/download, sync, tunneling, backup, and restore without prominent warnings, confirmation points, or safety constraints. In an agent setting, that omission is dangerous because users may trigger remote state changes, data overwrites, service disruption, or data exposure without understanding the impact.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documented deployment flow includes stopping and deleting the running service before the replacement is verified healthy, and the rollback section includes destructive restoration steps without an explicit warning about downtime, state loss, or operator confirmation. In an SSH management skill, users may copy these steps directly, so omission of safeguards materially increases the chance of accidental service disruption or data loss.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The workflow explicitly captures and persists outputs from commands like `netstat -tulpn`, `ss -tulpn`, `docker ps -a`, `who`, and `last`, which can reveal usernames, login history, internal network topology, service names, ports, container details, and process associations. Storing this data under a local workdir without any warning, minimization guidance, or access-control advice increases the chance of sensitive operational data being retained insecurely or shared unintentionally.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The workflow performs state-changing administrative actions on a remote server, including ownership changes, permission changes, and service restarts, without any safety warning, rollback guidance, or instruction to verify authorization before execution. In an SSH-management skill, operators are likely to copy these commands directly, so omission of safeguards materially increases the chance of service disruption or unsafe fixes being applied in production.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The workflow collects and stores logs, process data, configs, and service details under a local workdir without warning that these artifacts may contain secrets, internal hostnames, usernames, paths, or other sensitive operational data. In a remote server management skill, normalizing indiscriminate local retention of diagnostics can lead to credential leakage, privacy issues, or exposure of infrastructure details if the workstation or workdir is shared or backed up insecurely.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation explicitly recommends `ssh_session_close session="all"` without any warning that this is a destructive operation that can terminate unrelated active sessions. In an SSH management skill, users may copy commands directly, so this omission creates a realistic risk of accidental disruption to deployments, monitoring, or administrative work in progress.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The file instructs users to run `sudo systemctl reload sshd` after editing SSH daemon configuration, but provides no warning about authorization requirements, risk of misconfiguration, or possibility of disrupting remote access. In a remote-server-management skill, operators may execute such steps over SSH, which can cause lockout or service instability if done incorrectly.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The document encourages persistent local storage of SSH outputs, status snapshots, and summaries per host, but provides no guidance on protecting those artifacts. In an SSH-management skill, these files can easily contain hostnames, service inventories, logs, credentials accidentally echoed by commands, network exposure details, or other operationally sensitive data that would be valuable to an attacker if the local machine or shared home directory is compromised.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: These examples explicitly save outputs from commands like log greps, service listings, netstat, and health checks into predictable local files. In the context of a remote server management skill, this materially increases exposure because the stored artifacts can reveal internal topology, running services, ports, errors, and security-relevant operational details long after the session ends.

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: |------|------|---------| | List servers | `ssh_list_servers` | `ssh_list_servers` | | Execute command | `ssh_execute` | `ssh_execute server="rock5t" command="df -h"` | | Execute with sudo | `ssh_execute_sudo` | `ssh_execute_sudo server="rock5t" command="apt update"` | | Check status | `ssh_connection_status` | `ssh_connection_status action="status"` | ### Session Management
Confidence: 87% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: |------|------|---------| | List servers | `ssh_list_servers` | `ssh_list_servers` | | Execute command | `ssh_execute` | `ssh_execute server="rock5t" command="df -h"` | | Execute with sudo | `ssh_execute_sudo` | `ssh_execute_sudo server="rock5t" command="apt update"` | | Check status | `ssh_connection_status` | `ssh_connection_status action="status"` | ### Session Management
Confidence: 87% confidence
Finding: sudo

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal