ClawHub

Wish Ssh Code Review

v2.3.1

Reviews Wish SSH server code for proper middleware, session handling, and security patterns. Use when reviewing SSH server code using charmbracelet/wish.

0· 159·1 current·1 all-time
byKevin Anderson@anderskev

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for anderskev/wish-ssh-code-review.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Wish Ssh Code Review" (anderskev/wish-ssh-code-review) from ClawHub.
Skill page: https://clawhub.ai/anderskev/wish-ssh-code-review
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install wish-ssh-code-review

ClawHub CLI

Package manager switcher

npx clawhub@latest install wish-ssh-code-review
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Wish SSH code review) match the SKILL.md: it instructs the agent to locate wish.NewServer entry points, capture middleware and session evidence, and produce findings tied to source file locations. No unrelated binaries, env vars, or installs are requested.
Instruction Scope
The runtime instructions are precise and scoped to reading repository source and producing annotated findings (locate entry points, capture middleware list, check PTY usage, graceful shutdown, etc.). These steps legitimately require reading code paths in the repo. The instructions do not instruct the agent to read unrelated system files, access secrets, or transmit data to external endpoints.
Install Mechanism
No install spec and no code files to execute — lowest-risk model (instruction-only). Nothing is downloaded or written to disk by the skill itself.
Credentials
The skill requests no environment variables, credentials, or config paths. The included reference samples mention handling env values (e.g., os.Getenv) only as review topics (to check if reviewed code uses envs insecurely) — that is appropriate and expected.
Persistence & Privilege
always is false and the skill does not request persistent installation or system-wide changes. It does not modify other skills or agent configuration.
Assessment
This skill is instruction-only and appears coherent for code review of charmbracelet/wish-based SSH servers. Before installing/using it: 1) Understand the agent will read repository source files (so do not expose repos that contain private keys, passwords, or other secrets you don't want inspected). 2) The skill's source and homepage are unknown — that increases supply-chain uncertainty even though the content is benign. 3) It will not install software or ask for credentials, and it does not request persistent privileges. If you plan to run automated reviews, limit the agent's repository access to only the code you want reviewed and remove any real secrets from the repository.

Like a lobster shell, security has layers — review code before you run it.

latestvk97781gc8pn64snfzj59vv9xxh85bcnr
159downloads
0stars
2versions
Updated 6d ago
v2.3.1
MIT-0
Kevin Anderson@anderskev
latest
Download

Wish SSH Code Review

Quick Reference

Issue TypeReference
Server setup, middlewarereferences/server.md
Session handling, securityreferences/sessions.md

Review gates

Run these in order when producing a written review. Do not claim a defect in a later step until the Pass when for the current step is satisfied for the code under review.

  1. Locate Wish entry pointsPass when: you have at least one repo path per server surface that calls wish.NewServer, wish.WithMiddleware, registers bubbletea.Middleware, or defines the top-level ssh.Handler chain (list the paths explicitly).
  2. Capture server-setup evidencePass when: for each path from step 1, you have the actual wish.WithHostKey* / host-key configuration and the full middleware list in source order as written (not recalled from memory). If graceful shutdown exists, note the file(s) where ListenAndServe and Shutdown run.
  3. Capture session / TUI evidencePass when: for each teaHandler (or equivalent), you have noted from source whether s.Pty() is checked before using window size, and whether per-session renderers (bubbletea.MakeRenderer) are used where Lipgloss styles apply.
  4. Write findingsPass when: each finding uses [FILE:LINE] ISSUE_TITLE (line range allowed where needed) and points to the relevant row in Quick Reference (or the matching section in references/).

Review Checklist

Use alongside Review gates; for a written review, complete the gates first so each item below can be tied to cited source.

  • Host keys are loaded from file or generated securely
  • Middleware order is correct (logging first, auth early)
  • Session context is used for per-connection state
  • Graceful shutdown handles active sessions
  • PTY requests are handled for terminal apps
  • Connection limits prevent resource exhaustion
  • Timeout middleware prevents hung connections
  • BubbleTea middleware correctly configured

Critical Patterns

Server Setup

// GOOD - complete server setup
s, err := wish.NewServer(
    wish.WithAddress(fmt.Sprintf("%s:%d", host, port)),
    wish.WithHostKeyPath(".ssh/id_ed25519"),
    wish.WithMiddleware(
        logging.Middleware(),       // first: log all connections
        activeterm.Middleware(),    // handle terminal sizing
        bubbletea.Middleware(teaHandler),
    ),
)
if err != nil {
    return fmt.Errorf("creating server: %w", err)
}

Graceful Shutdown

// BAD - abrupt shutdown
log.Fatal(s.ListenAndServe())

// GOOD - graceful shutdown
done := make(chan os.Signal, 1)
signal.Notify(done, os.Interrupt, syscall.SIGTERM)

go func() {
    if err := s.ListenAndServe(); err != nil && !errors.Is(err, ssh.ErrServerClosed) {
        log.Error("server error", "error", err)
    }
}()

<-done
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
if err := s.Shutdown(ctx); err != nil {
    log.Error("shutdown error", "error", err)
}

BubbleTea Handler

func teaHandler(s ssh.Session) (tea.Model, []tea.ProgramOption) {
    pty, _, _ := s.Pty()

    model := NewModel(pty.Window.Width, pty.Window.Height)

    return model, []tea.ProgramOption{
        tea.WithAltScreen(),
        tea.WithMouseCellMotion(),
    }
}

When to Load References

  • Reviewing server initialization → server.md
  • Reviewing authentication, session state → sessions.md

Review Questions

  1. Are host keys handled securely?
  2. Is middleware order correct?
  3. Is graceful shutdown implemented?
  4. Are PTY window sizes passed to the TUI?
  5. Are connection timeouts configured?

Comments

Loading comments...