Skillv1.0.0

ClawScan security

netmiko ssh · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 25, 2026, 11:04 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (running SSH commands via an MCP server) matches its tools, but it lacks transparency about where commands/credentials are sent and persisted and provides no provenance — this raises data-exfiltration and trust concerns the user should resolve before installing.
Guidance: This skill connects to a remote MCP server that will execute SSH commands you provide and keeps session/command history. Before installing or using it: 1) Ask who operates the MCP_Server_Trigger (where the server runs) and request the server's endpoint and privacy/security policy (is data logged, for how long, is traffic encrypted?). 2) Vet the recommended dependency (https://github.com/fenwei-dev/mcp2skill) — review its code and releases rather than blindly installing. 3) Avoid sending high-privilege credentials until you confirm that credentials are not persisted or are properly protected; prefer ephemeral keys or limited-scope accounts. 4) If possible, run the MCP server under your control (on-premises) or use a vetted connector to avoid exposing sensitive device credentials to unknown third parties. 5) The skill metadata lacks a homepage/source — treat it as unverified and ask the publisher for provenance and security documentation before granting access or supplying secrets.

Review Dimensions

Purpose & Capability: noteThe skill exposes tools to create SSH sessions and run commands on remote devices, which aligns with the 'ssh' purpose. However the package metadata/source/homepage are missing and the name ('netmiko ssh') vs. server name ('MCP_Server_Trigger' / 'restssh') is inconsistent. The SKILL.md depends on an external CLI (mcp2skill) which is reasonable for an adapter but the origin of the MCP server and its operator are not disclosed.
Instruction Scope: concernRuntime instructions direct the agent to call a remote MCP server to run arbitrary SSH commands using user-supplied host/username/password. The SKILL.md also mentions a database-backed session/command history — meaning credentials or commands might be logged/persisted remotely. The document does not disclose the server endpoint, data handling, or retention policy, so use could result in sensitive data being transmitted and stored offsite without clear consent.
Install Mechanism: noteThere is no install spec (instruction-only), which minimizes local code execution risk. The README recommends installing 'mcp2skill' from a GitHub repo; that is an external dependency the user would need to vet separately. No automated downloads/installers are embedded in the skill itself.
Credentials: concernThe skill declares no required environment variables or credentials at install time, but its runtime API requires SSH credentials (username/password) be provided as call arguments. Because the server records session and command history, accepting credentials at runtime could lead to durable storage or forwarding of secrets. There is no explanation why credentials would be retained or how they are protected.
Persistence & Privilege: okThe skill does not request persistent platform privileges (always:false) and has no install operations. It does not declare any capability to modify other skills or global agent configuration.