SSH Vault
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent with its SSH-vault purpose, but it grants broad remote-command authority, reuses cached approval sessions, requests access to all hosts, and points users to an unpinned vault container.
Only install this if you understand that it can run shell commands on remote vault-managed hosts. Before use, restrict the agent to specific hosts, avoid all-host registration, require per-command approval where possible, store sessions securely or clear them after use, and pin or verify the Docker image running your SSH Vault service.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After an approval session exists, an agent mistake or prompt-influenced command could run powerful shell commands on remote machines without a fresh human approval page for each command.
The skill intentionally enables arbitrary shell execution on remote hosts, and after a session is saved it says later commands bypass approval.
Save `sessionId` to `/tmp/ssh-vault-session.json` — subsequent commands skip approval Shell metacharacters (`&&`, `;`, `|`, `$()`, backticks) are all allowed in commands.
Require explicit user confirmation for each remote command or narrow the session to a specific host and command; use short TTLs, host allowlists, and avoid running commands derived from untrusted chat or Discord content.
If approved, the OpenClaw agent may receive authority over all vault-managed hosts, increasing the blast radius of mistakes or misuse.
The registration flow asks the vault for access to every host rather than only the host needed for the user's task.
requestedHosts: ['*'],
Change registration to request only user-selected hosts, document the exact access being requested, and declare the vault URL and signing keypair as credentials in metadata.
The cached session can be reused across later tasks and may be exposed or tampered with on multi-user systems, potentially allowing commands to run without a new unlock approval.
A reusable vault session is persisted in a shared temporary path, and the code does not set restrictive file permissions or bind the session to a particular task.
const SESSION_FILE = '/tmp/ssh-vault-session.json'; ... writeFileSync(SESSION_FILE, JSON.stringify(session, null, 2));
Store session data in a user-owned config directory with 0600 permissions, provide an explicit logout/clear-session command, validate session ownership, and consider disabling approval skipping by default.
A future image change or compromised image source could affect the vault service that protects remote-host credentials and command execution.
The setup instructs users to run a mutable `latest` Docker image for a service that stores vault data and handles SSH credential workflows.
docker run -d -p 3001:3001 \ -v vault-data:/app/data \ -v vault-config:/app/config \ qsobad/ssh-vault-mcp:latest
Pin the Docker image by digest or exact version, publish source/provenance for the image, and advise users to verify the image before storing SSH credentials in it.