Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
sjht-ssh-ops
v1.0.1SSH 密钥管理和远程服务器运维工具。 用于生成 SSH 密钥、部署公钥到远程主机实现免密登录、测试连接、查看远程主机信息、 以及远程执行运维命令。Use when 用户需要连接远程服务器、配置 SSH 免密登录、 管理服务器、部署应用、或在远程主机上执行命令。触发短语包括: "SSH登录"、"免密登录"、"服务...
⭐ 0· 161·0 current·0 all-time
by@aowind
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description align with the included SKILL.md and the bash script. The script provides key generation, public-key deployment (ssh-copy-id via sshpass), connection testing, host info, and listing — all expected for an SSH ops utility.
Instruction Scope
SKILL.md and the script explicitly instruct the agent/user to run the included shell script and to perform arbitrary remote commands over SSH (expected). The script uses ssh-copy-id with StrictHostKeyChecking=no (accepts unknown host keys) and will attempt to install system package sshpass automatically; both are operational choices that reduce manual friction but weaken host-key verification and modify the system.
Install Mechanism
There is no skill-level install spec (instruction-only), but the runtime script will attempt to install the sshpass package via apt-get or yum if missing. This modifies the host system, requires package manager access (and likely root), and is a side-effect the user should consent to and review.
Credentials
The skill metadata declares no required env vars, but SKILL.md and the script rely on an SSHPASS environment variable when deploying keys. SSHPASS carries a plaintext password for remote hosts — it's appropriate for the deploy feature but should have been declared as an optional env requirement and documented with cautions. Also the script reads/writes ~/.ssh (expected) and writes a private key file locally.
Persistence & Privilege
The skill does not request persistent/always-on privileges and is user-invocable. However, at runtime it writes to ~/.ssh (creates keys) and can modify system packages (install sshpass). These are normal for this utility but are side effects that require user permission.
Assessment
This skill appears to do what it claims: generate SSH keys, deploy public keys, test logins, and run remote commands. Before installing or running it, review and consider the following:
- Inspect the script yourself (scripts/ssh-key-setup.sh) to confirm you're comfortable with its behavior. It will write keys to ~/.ssh and may overwrite or add files there.
- The script will try to install sshpass via apt-get or yum automatically if missing. That changes system packages and likely requires root; prefer to install sshpass yourself or run the script with awareness of this side effect.
- Deployment uses an SSHPASS environment variable for the target host password. Do not store that password in chat logs or persistent files; pass it only in a secure, ephemeral way and unset it afterwards. Recognize this transmits plaintext credentials to sshpass for password-based login during deployment.
- The script calls ssh-copy-id with StrictHostKeyChecking=no, which accepts unknown host keys and bypasses interactive host-key verification — consider verifying host keys manually to avoid connecting to an unexpected host.
- Because the skill runs shell commands, only use it with hosts you trust. If you need stronger guarantees, run the script locally (not via an agent) and ensure your environment has appropriate backups for existing SSH keys.
If you want higher assurance, ask the maintainer to (1) declare SSHPASS as an optional env var in metadata, (2) avoid auto-installing packages without user confirmation, and (3) document required privileges for package installation.Like a lobster shell, security has layers — review code before you run it.
latestvk977mvs95h57jweqpv2f6x76s1836gr6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.