Billy — SAPCONET SSH Bridge
v0.1.0Standard SAPCONET SSH command templates for bird reads, Puppeteer runs, and inbox messaging workflows.
⭐ 0· 343·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (SSH templates for bird, Puppeteer, inbox messaging) aligns with the included scripts, which are explicit SSH templates/placeholders. However the scripts are placeholders (they echo TODOs rather than implementing the described tasks) and the skill embeds a hard-coded default target (neill@100.110.24.44) which may be unexpected. The SKILL.md does not declare the one environment variable the scripts rely on (SAPCONET_TARGET).
Instruction Scope
Runtime instructions and scripts execute ssh to a remote host with commands provided as string arguments. The message-sending script expands the MESSAGE locally into the remote command without robust escaping, which can allow remote command injection if MESSAGE contains special characters (e.g., single quotes or shell metacharacters). The SKILL.md tells users to export SAPCONET_TARGET but the skill metadata does not reflect that requirement.
Install Mechanism
No install spec; the skill is instruction-only with two local shell scripts. Nothing is downloaded or written during install, so install mechanism risk is low.
Credentials
The scripts require SAPCONET_TARGET (used to form SSH destination) but requires.env in metadata is empty. No credentials are declared even though SSH access requires authentication (SSH keys or agent). The SKILL.md suggests keeping credentials in env vars but does not name which variables or explain how keys are provided, leaving ambiguity and potential misconfiguration.
Persistence & Privilege
The skill does not request persistent/always-on privileges and does not modify other skills or system settings. Autonomous invocation is allowed by default but is not combined here with other red flags that would raise privilege concerns.
What to consider before installing
This skill is a lightweight SSH template but has a few red flags: (1) it expects SAPCONET_TARGET but the metadata doesn't declare it — set this yourself before running (e.g. export SAPCONET_TARGET='user@host'). (2) The scripts default to a hard-coded IP (neill@100.110.24.44); update it to your intended host. (3) Do not pass untrusted input to scripts/msg-sapconet.sh as MESSAGE is expanded without safe escaping — an attacker-controlled message could inject commands to run on the remote host. Sanitize or properly quote inputs (or use ssh and printf %q, or pass the message via stdin). (4) Ensure SSH authentication is handled via your standard SSH keys/agent; the skill does not manage credentials. (5) Review and adapt the placeholder commands carefully before running them. If you need help hardening the scripts (declaring required env, safer quoting, explicit key usage), consider asking for a revised version that properly escapes variables and documents required environment variables.Like a lobster shell, security has layers — review code before you run it.
latestvk97fn09gqcne0svtt8gw1tmw8n81y9nz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.