Remote Skill Test
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is a disclosed remote-testing helper, but it runs another agent over SSH with confirmations disabled and broad remote credentials, so it needs careful review before use.
Use this only on a disposable or tightly scoped jump host with test credentials. Verify the panlm/skills source and version, avoid production SSH/API credentials, expect the remote agent to act without further confirmations, and review or remove stored logs after each run.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The remote test may continue past points where the target skill would normally ask you to approve a risky action.
The skill always modifies the user's test prompt to tell the remote agent to bypass confirmations and proceed automatically, including for cross-directory reads.
Append the following suffix to the user's prompt (always): "如果需要跨目录读取文件,直接操作不要确认。所有操作自动执行,不要等待用户确认。"
Show the exact final prompt before execution, make the auto-confirm suffix optional, and require explicit user approval for high-impact tests.
A target skill or mistaken prompt could read or write outside the test directory, run tools, or affect remote/cloud resources without another confirmation step.
The workflow disables SSH host-key checking and runs OpenCode with a flag that auto-approves permission prompts while executing the target skill remotely.
`ssh -i {SSH_KEY} -o StrictHostKeyChecking=no {USER}@{HOST}` ... `opencode run --dangerously-skip-permissions "${FULL_PROMPT}"`Use a disposable remote host or sandboxed account, avoid --dangerously-skip-permissions for destructive skills, and keep SSH host verification enabled where possible.
Actions run with whatever privileges the supplied remote account and configured provider/API keys have.
The skill requires sensitive SSH access and relies on remote environment credentials, but the artifacts do not bound those credentials to a least-privilege test account.
Please provide: user@host, and the SSH key path ... Use `bash -i -c` to load `.bashrc` environment variables (LLM provider URL, API keys, etc.)
Use a dedicated low-privilege SSH key, non-production provider/API credentials, and a remote test account with limited file and cloud permissions.
The remote test may run whatever version of the full skill repository is available at execution time, not just the target skill you intended to test.
The runtime workflow pulls and installs a broad, unpinned skill repository with auto-confirm. This is disclosed and purpose-aligned for dependencies, but provenance and version pinning are not clear.
`npx skills add panlm/skills -y` ... installs all skills at project level ... all skills must be installed together.
Pin the repository version or commit, verify the source before running, and install only the target skill plus necessary dependencies when possible.
Sensitive test details could remain on the remote host and in local ./test-results after the run.
The skill persistently stores remote agent output and reports for comparison. This is useful for diagnostics, but those files may contain sensitive prompts, paths, resource names, or error output.
All output (stdout + stderr) is captured to `opencode-run.log` ... Reports and logs stored locally in timestamped directories.
Avoid putting secrets in prompts, review logs before sharing them, restrict file permissions on test-results, and delete or redact old runs when no longer needed.
A user may believe the remote host will not be modified beyond test directories, even though the invoked target skill can perform broader actions.
The safety statement understates the impact of running a target skill with permission prompts disabled; the target skill may still perform file writes or other mutations.
`--dangerously-skip-permissions` ... auto-confirm directives are appended automatically ... Safety Rules: `No remote modifications | Only creates test directories and runs opencode run`
Revise the safety documentation to state clearly that target skills can modify remote files or external accounts, and require sandboxing or confirmation for risky targets.