Src
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill transparently creates SSH wrappers for Mac tools, but it needs review because the generated shell wrappers use high-trust SSH access and do not safely escape all configured host/path values.
Install only if you intentionally want a Linux gateway to call tools on trusted Mac nodes. Use dedicated non-root SSH keys, pin host identity where possible, create narrow wrappers, inspect the generated wrapper files, and avoid untrusted host or path values until the shell-escaping issue is fixed.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or user installs a wrapper with untrusted or malformed host/path values, the resulting wrapper could run unintended local commands under the gateway user's account.
The unquoted heredoc expands HOST, REMOTE_BIN, and ssh_opts into a generated bash script without emitting them as safely shell-escaped literals. Crafted or malformed setup values containing quotes or shell metacharacters could change what the wrapper runs when invoked.
cat > "$wrapper" <<EOF
#!/usr/bin/env bash
set -euo pipefail
remote_cmd=\$(printf '%q ' "$REMOTE_BIN" "\$@")
exec ssh ${ssh_opts[*]:-} -T "$HOST" "bash -lc \$remote_cmd"
EOFGenerate wrapper contents using safe serialization, such as printf %q for configured literals or a quoted heredoc with variables assigned safely. Validate HOST and path characters, and only use trusted setup values.
A wrapper for a broad tool such as brew, gh, imsg, or things could read or modify remote Mac or account state if invoked with mutating arguments.
The generated wrapper intentionally forwards arbitrary caller arguments to the configured remote macOS binary over SSH. This is purpose-aligned, but it gives any caller of the wrapper the full capability of that remote CLI.
remote_cmd=\$(printf '%q ' "$REMOTE_BIN" "\$@")
exec ssh ${ssh_opts[*]:-} -T "$HOST" "bash -lc \$remote_cmd"Prefer narrow wrappers for specific tools or actions, use non-root remote accounts, and require explicit user confirmation before using wrappers for destructive, publishing, account-changing, or package-changing operations.
If the gateway account or wrapper is misused, it may act with the privileges of the configured SSH account on the Mac.
The skill depends on passwordless SSH credentials to a Mac node. The artifacts disclose this and recommend scoping mitigations, but the credential boundary is high-trust.
- Linux gateway can SSH to the target Mac node without a password - Use a dedicated SSH key for gateway-to-node wrappers whenever possible - Use non-root accounts on the Mac nodes
Use a dedicated SSH key, restrict it to a non-root Mac account, pin host identity where possible, and revoke the key when the bridge is no longer needed.
Personal or business data returned by remote Mac tools may become visible on the Linux gateway and to agents that can read command output.
The skill explicitly creates a cross-host gateway-to-Mac execution/data path. This is expected for the bridge, but sensitive outputs from tools like imsg, memo, reminders, or Things can cross that boundary.
each Mac node is a separately trusted execution surface cross-host access must be narrow, explicit, and reversible
Only bridge trusted Macs, limit wrappers to needed tools, avoid broad data-dump commands, and document where command output is logged or stored.
The SSH bridge remains available for future user or agent commands until the wrapper file is removed.
The setup script intentionally installs a persistent executable wrapper in the selected bin directory. No hidden background process is shown, but the wrapper remains callable after setup.
mkdir -p "$TARGET_DIR" wrapper="$TARGET_DIR/$safe_name" ... chmod 755 "$wrapper" echo "Installed wrapper: $wrapper"
Track installed wrappers, remove wrappers that are no longer needed, and keep wrapper names explicit so users know which Mac and tool they target.