Security audit

SSH Handoff

Security checks across malware telemetry and agentic risk

Overview

This is a coherent terminal-handoff skill, but it opens high-impact writable shell access and has access-control weaknesses users should review before installing.

Install only if you intentionally need an agent to share a human-authenticated terminal. Prefer plain tmux or localhost-only mode, avoid public tunnels, require a trusted client IP for LAN use, treat printed URLs and tokens as shell credentials, and manually verify cleanup of ttyd/proxy processes and tmux sessions after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill clearly instructs the agent/operator to use shell commands, environment variables, and network-exposed services (`tmux`, `ttyd`, Node proxy), yet it declares no permissions. That mismatch is a real security issue because it obscures the skill's execution and exposure capabilities, preventing proper review, sandboxing, and user consent for shell/network actions.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script starts a writable `ttyd` web terminal attached to a tmux session immediately and in the background, including possible LAN exposure when `HOST` is not `127.0.0.1`, without any interactive confirmation or safety gate. In this skill's context, that is more dangerous than normal because the terminal is specifically designed to hand an authenticated shell from a human to an agent, so accidental exposure can grant powerful session access to unintended parties.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script prints the generated URL, username, password, and token in plaintext to standard output. In a handoff skill, those credentials directly unlock a live writable shell, so disclosure through terminal scrollback, logs, orchestration systems, or agent transcripts can immediately compromise the shared session.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical

Code: suspicious.env_credential_access
Location: scripts/url-token-proxy.js:7