netmiko ssh
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This SSH skill is not clearly malicious, but it gives an agent broad remote SSH command access using your passwords and stores command/session history without clear safeguards.
Install only if you intentionally want the agent to administer SSH targets. Verify the MCP server and mcp2skill source first, use temporary least-privilege credentials, manually approve each command, avoid production passwords until credential handling is clear, and confirm how session and command history can be reviewed and deleted.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly autonomous tool call could change, disrupt, or expose data on network devices or servers reachable by SSH.
The skill exposes a raw SSH command tool that can run arbitrary commands on remote systems using supplied credentials. The artifacts do not document command allowlists, target restrictions, human approval requirements, or containment.
execute_ssh_command: Executa um comando SSH em um dispositivo remoto. Args: command: O comando a ser executado... host... username... password...
Use only with explicit user-reviewed commands and least-privilege SSH accounts. Add or require confirmations, target scoping, command allowlists, and safe rollback procedures before production use.
Providing a production SSH password could let the MCP server or agent act with that account’s authority, and the artifacts do not show how the password is protected.
Creating a session requires SSH credentials and grants whatever remote privileges that account has. The registry metadata declares no primary credential, and the artifacts do not explain credential storage, redaction, or lifetime.
### create_ssh_session ... "required": ["host", "username", "password", "session_id"]
Do not provide high-privilege or shared SSH passwords unless you trust and have verified the MCP server. Prefer temporary, least-privilege credentials and document credential handling in the skill metadata.
SSH targets, usernames, operational commands, or secrets typed into commands could remain available in history after the task ends.
The skill discloses persistent session history in a database and command history lookup, but does not describe retention, deletion, access controls, or secret redaction.
list_history_sessions: Lista o histórico de todas as sessões registradas no banco de dados. Inclui sessões ativas e encerradas. ... list_history_commands: Lista o histórico de comandos executados
Verify where the database is stored, who can access it, how long history is retained, and how to clear it. Avoid entering secrets in commands unless logging is disabled or redacted.
Your safety depends partly on the external mcp2skill tool and MCP server implementation, which are not reviewed in these artifacts.
The skill depends on an external globally installed helper and an update command, but the supplied artifacts do not pin a version or include the helper/server code for review. The commands are user-directed, so this is a supply-chain note rather than proof of malicious behavior.
This skill requires `mcp2skill` to be installed globally ... install it from https://github.com/fenwei-dev/mcp2skill ... `mcp2skill update-skill --skill <skill-dir>`
Install helper tools only from trusted sources, pin versions where possible, review update changes before applying them, and verify the MCP server implementation separately.