ClawHub

ssh_file_manager

Security checks across malware telemetry and agentic risk

Overview

The skill openly manages files over Tailscale SSH, but it gives an agent broad remote and local file-control power with weak built-in guardrails.

Install only if you intentionally want an agent to manage files across your Tailnet using your SSH privileges. Verify the exact host and path before every operation, use a limited SSH identity where possible, avoid running it against privileged system paths, and treat pull/push/delete/chmod as high-risk until the helper adds path restrictions, overwrite protection, and enforced confirmations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
command,
    ]
    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout, input=stdin)
        return result.returncode, result.stdout, result.stderr
    except subprocess.TimeoutExpired:
        return -1, "", "SSH connection timed out"
Confidence
96% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout, input=stdin)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
dst,
    ]
    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)
        return result.returncode, result.stdout, result.stderr
    except subprocess.TimeoutExpired:
        return -1, "", "SCP connection timed out"
Confidence
85% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to invoke local shell commands (`python3 ...`, `ssh`, `scp`, `sftp`) and perform remote file operations, yet it declares no permissions. This creates a hidden capability boundary issue: callers, reviewers, or policy systems may treat the skill as low-risk while it can read files and execute shell-driven remote actions that may modify or exfiltrate data across tailnet hosts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The pull action writes attacker-controlled remote content directly to an arbitrary local path supplied by the caller, with no path restrictions or overwrite protections. In an agent context, a malicious or compromised remote host could cause sensitive local files to be overwritten or plant files in privileged locations, making this more dangerous than a mere missing warning.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal