ClawHub

SSH Vault

Security checks across malware telemetry and agentic risk

Overview

This skill is for real remote SSH command execution and mostly discloses that, but it asks for broad host access and caches approval sessions in a weak location.

Install only if you deliberately want this agent to run commands on vault-managed hosts. Use a dedicated low-privilege vault key, restrict host registration instead of approving wildcard access, avoid shared-machine use with the /tmp session cache, clear cached sessions after work, and verify or pin the Docker backend image.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The registration flow explicitly requests access to all hosts via requestedHosts: ['*'], which grants far broader authority than the skill description implies. In a tool designed to execute remote SSH commands, overbroad registration materially increases blast radius if the agent, session, or vault integration is misused or compromised.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The file header states the CLI signs requests, but multiple sensitive API operations such as unlock initiation, unlock submission, status checks, and registration are sent without signatures. That inconsistency can weaken trust guarantees and may allow unauthenticated or insufficiently authenticated calls if the server accepts these endpoints as-is, which is especially risky for a remote command-execution skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly permits unrestricted shell metacharacters in commands executed on remote hosts, but provides no guardrails requiring confirmation, sanitization, or risk disclosure for destructive or injection-prone input. In this context, the danger is elevated because the skill is specifically designed to run commands on vault-managed infrastructure, so unsafe command composition or relaying untrusted user text could lead to remote command injection, data loss, or host compromise.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script stores session data in /tmp/ssh-vault-session.json without setting restrictive permissions or warning the user, exposing a vault session token in a shared temporary location. On multi-user systems or environments with weak temp-file hygiene, another process or user may read, replace, or race this file to hijack or disrupt authenticated vault access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal