ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SSH OP

v0.1.0

Use the ssh-op helper script to load an SSH private key from 1Password (op) into an in-memory ssh-agent and then run ssh. Use when connecting to hosts that r...

0· 637· 1 versions· 0 current· 0 all-time· Updated 6h ago· MIT-0
byZhihao@moodykong

Security Scans

VirusTotalSuspiciousClawScanSuspiciousStatic analysisBenign

Install

openclaw skills install ssh-op

ssh-op

ssh-op is a wrapper around ssh that:

  • ensures an ssh-agent exists for the current shell
  • loads an SSH key from 1Password via op read ... | ssh-add -
  • then execs ssh with your arguments

Prerequisites

Fail-fast checks you can run:

command -v op ssh ssh-agent ssh-add
op whoami

If op whoami fails:

  • Sign in to 1Password CLI (desktop integration / account sign-in), or
  • If using a service account flow, ensure OP_SERVICE_ACCOUNT_TOKEN is set.

Configuration (portable)

Machine-specific config lives alongside the skill:

  • Example (do not edit): ~/.openclaw/skills/ssh-op/config.env.example
  • Real (machine-specific): ~/.openclaw/skills/ssh-op/config.env

Required keys:

  • SSH_OP_VAULT_NAME — 1Password vault containing the key
  • SSH_OP_ITEM_TITLE — 1Password item title

Optional keys:

  • SSH_OP_KEY_FIELD — defaults to private key
  • SSH_OP_KEY_FINGERPRINT_SHA256 — if set, skip re-loading when already in ssh-agent
  • SSH_OP_HOSTS_FILE — defaults to hosts.conf (ssh config snippet filename)

SSH host entries (optional) live in:

  • ~/.openclaw/skills/ssh-op/hosts.conf

Initialization / installation / onboarding

Preferred (chat-first)

Because the primary interface is chat (Telegram), the preferred onboarding flow is:

  1. Ask Boss the required questions in chat.
  2. Write the real config file: config.env.
  3. Run a smoke test (e.g. ssh-op --help and a safe ssh-op -T <alias>).

Optional (terminal)

If you are running in a real terminal, you can use the interactive onboarding script:

~/.openclaw/skills/ssh-op/scripts/onboard.sh

(If you want a step-by-step runbook, see references/onboarding.md.)

1) Put the executable on PATH

Canonical executable lives inside the skill:

  • ~/.openclaw/skills/ssh-op/scripts/ssh-op

For convenience, create a symlink:

mkdir -p ~/.local/bin
ln -sf ~/.openclaw/skills/ssh-op/scripts/ssh-op ~/.local/bin/ssh-op

2) Configure which key to load

Run onboarding to populate the real config:

~/.openclaw/skills/ssh-op/scripts/onboard.sh

(Or edit config.env manually and set SSH_OP_VAULT_NAME / SSH_OP_ITEM_TITLE.)

Then validate:

ssh-op --help
# try a safe ssh command (or any host alias you have configured)
ssh-op -T <host-alias>

3) (Optional) Manage ~/.ssh/config host aliases

  1. Put desired Host entries in hosts.conf
  2. Apply them idempotently (adds/updates a managed block):
~/.openclaw/skills/ssh-op/scripts/ensure_ssh_config.py

This will update ~/.ssh/config between:

  • # BEGIN ssh-op (managed)
  • # END ssh-op (managed)

Usage

ssh-op <ssh-args...>

Examples:

ssh-op my-host-alias
ssh-op -T my-host-alias
ssh-op -L 8080:localhost:8080 my-host-alias

Notes / behavior

  • No private key is written to disk.
  • ssh-agent lifetime is tied to the current shell unless you export SSH_AUTH_SOCK / SSH_AGENT_PID.

Executables / bin placement

  • Keep the canonical executable in the skill folder (scripts/ssh-op).
  • Use a symlink (e.g. ~/.local/bin/ssh-op) for convenience.

Version tags

latestvk97eyjxwys8014e9s7hqtjr8h581nvff