Skillv0.1.0

ClawScan security

SSH OP · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 1:08 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (loading a 1Password SSH key into ssh-agent and running ssh) is plausible, but there are multiple incoherences and a missing main executable that prevent verification and warrant caution.
Guidance: Proceed with caution. Things to check before installing or using this skill: 1) The package references a runtime script (~/.openclaw/skills/ssh-op/scripts/ssh-op) but that file was not provided for review — inspect that script yourself to ensure it actually does what the README claims and contains no network calls or unexpected behavior. 2) Ensure you have the 1Password CLI (op) installed and are comfortable that piping the private key from `op read` into `ssh-add -` (in-memory agent) matches your security policy; verify no temporary files are created by the actual ssh-op script. 3) Back up ~/.ssh/config before running ensure_ssh_config.py; the included Python script has a regex bug and may append duplicate managed blocks instead of updating them idempotently. 4) Confirm you trust the skill owner and run the onboarding/test steps in an isolated account or VM first. 5) Ask the publisher to correct metadata to list required binaries (op, ssh, ssh-agent, ssh-add) and either include the canonical executable or explain where it will be installed so reviewers can validate runtime behavior.

Review Dimensions

Purpose & Capability: concernThe skill's description (use 1Password CLI to load a private key into ssh-agent) matches the included onboarding and helper scripts. However the registry metadata claims no required binaries or env vars while the SKILL.md and onboard.sh explicitly require the `op` CLI and ssh-related binaries. The canonical executable referenced (~/.openclaw/skills/ssh-op/scripts/ssh-op) is described but not included in the provided file contents, so the actual runtime behavior cannot be verified.
Instruction Scope: concernSKILL.md and onboard.sh give explicit, scoped instructions (run op whoami, run onboard.sh, run ssh-op, optionally update ~/.ssh/config). They do not instruct broad file-system scraping or network exfiltration. However because the main runtime script (scripts/ssh-op) is not present for review, we cannot confirm it adheres to the documented behavior (e.g., piping `op read ... | ssh-add -`). The provided ensure_ssh_config.py is intended only to manage a delimited block in ~/.ssh/config, but it contains a regex bug that will likely append duplicate blocks instead of updating them idempotently.
Install Mechanism: okThere is no install spec (instruction-only with some helper scripts), which is low-risk from an installation standpoint. Nothing is downloaded from external URLs in the package.
Credentials: concernThe skill does not declare any required environment variables in registry metadata, yet the documentation and onboard.sh rely on the user's 1Password CLI session (op) and optionally OP_SERVICE_ACCOUNT_TOKEN. The skill writes a machine-local config.env containing vault/item names (not secrets). The mismatch between declared requirements and actual runtime requirements is noteworthy and should be corrected/verified before use.
Persistence & Privilege: okThe skill does not request global/always-on privileges. It writes a config file in its own skill directory and can update ~/.ssh/config (expected for managing host aliases). It does not attempt to modify other skills or system-wide agent settings.