ClawHub

Ssh Remote Sanitized

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate SSH server-management skill, but it gives an agent broad remote administrative power with weak scoping and several unsafe operations that users should review carefully.

Install only if you intentionally want an agent to administer SSH-accessible servers. Use least-privilege SSH accounts, prefer keys over passwords, avoid production/root credentials where possible, review exact commands and paths before execution, and avoid the log cleanup, hardening, recursive transfer, and preset upload functions unless you have backups and a recovery path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises capabilities that imply shell and environment access, including remote command execution and file transfer, but does not declare permissions or trust boundaries. This increases the chance that a host platform or user will underestimate the skill's power, leading to unsafe invocation or insufficient review.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The system overview function makes an outbound request to ifconfig.me to determine the public IP address. This discloses that the monitored host is running the skill, leaks network metadata to a third party, and can violate privacy or network-segmentation expectations in server administration environments.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases include broad natural-language terms like “服务器状态” and “查看日志”, which are common in ordinary conversations about systems and troubleshooting. In a skill that can connect to servers, inspect logs, and execute administrative actions, overly broad triggers increase the chance of unintended activation and accidental remote operations.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README advertises remote command execution, file transfer, and service management without prominently warning that these actions can modify or disrupt remote systems and data. For an administrative SSH skill, under-communicating the destructive potential can lead users or agents to invoke powerful features without appropriate caution or approval.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation promotes remote command execution, service management, and file upload/download without warning that these actions can alter systems, exfiltrate data, or cause outages. In an SSH administration skill, this context makes the issue more dangerous because the core purpose is operating on remote production-like hosts where mistakes or misuse have high impact.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger set includes generic administrative phrases for a capability that can execute remote operations, which increases the chance of accidental invocation. In the context of an SSH management skill, unintended activation is more dangerous than usual because it may lead to remote command execution or privileged server actions on production systems.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The service-management triggers include broad terms like system/service management that can overlap with common troubleshooting requests. Because this skill can plausibly start, stop, or restart remote services, accidental activation could directly disrupt availability on managed hosts.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Generic log-analysis triggers are ambiguous and may activate on ordinary requests to view or discuss logs. In an SSH skill, unintended invocation can expose sensitive remote log contents or cause the agent to access systems the user did not clearly intend to query.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The manifest advertises remote command execution, file transfer, and service management but does not disclose that these actions can be destructive, privacy-impacting, or affect remote production systems. Missing risk signaling is especially dangerous here because users may invoke the skill without understanding that it can modify services, move data, or execute privileged commands over SSH.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The configuration schema explicitly solicits sensitive fields such as passwords and key passphrases without any guidance on secure storage, masking, or preference for safer authentication methods. In an SSH administration skill, this elevates the risk of credential leakage, insecure configuration handling, and operator normalization of storing plaintext secrets.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
Bulk recursive download amplifies filesystem impact because one call can create many directories and files locally, potentially consuming disk space or overwriting expected contents. In an SSH remote-management skill, remote directory contents may be influenced by a compromised or untrusted server, so blindly mirroring names and structure locally increases the chance of destructive or unsafe local writes.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
This function writes directly to a caller-provided local path with no directory creation, path validation, overwrite protection, or confirmation, so it can clobber existing local files if used unsafely. In the context of an SSH file-transfer skill, downloading from remote systems into arbitrary local paths creates a meaningful local integrity risk, especially when destination paths are constructed from external input.

Missing User Warnings

High
Confidence
96% confidence
Finding
cleanupOldLogs executes a privileged remote deletion command against /var/log with no confirmation, dry-run mode, path scoping beyond a broad glob, or safety interlock. In an SSH administration skill, a mistaken call, parameter misuse, or downstream prompt/agent abuse could irreversibly destroy forensic and operational logs on production systems.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code performs a remote network call to an external IP-discovery service without any user-facing warning, consent, or indication in the returned overview that third-party communication occurred. In an SSH remote-management skill, this is more sensitive because operators may expect read-only local inspection, not outbound traffic from production servers to the public internet.

Missing User Warnings

High
Confidence
98% confidence
Finding
This function can execute privileged state-changing operations on remote hosts, including editing sshd_config, enabling firewalls, installing packages, and enabling services, without any confirmation, dry-run, rollback, or safety interlock in this file. In an agent setting, that makes accidental lockout, service disruption, or unintended persistent changes much more likely, especially because the operations are performed over SSH on production-like systems.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code constructs shell commands with unquoted, unsanitized remote path input: `conn.exec(`mkdir -p ${remoteDir}`)` and similarly for nested paths. If `remoteDir` or derived names contain shell metacharacters such as `;`, backticks, or `$()`, an attacker could inject arbitrary commands on the remote host with the privileges of the SSH session.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
// 设置所有者(需要 sudo)
  await new Promise((resolve, reject) => {
    conn.exec(`sudo chown ${settings.owner} ${remotePath}`, (err) => {
      if (err) reject(err);
      else resolve();
    });
Confidence
99% confidence
Finding
sudo

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal