Back to skill

Security audit

SSH Server

Security checks across malware telemetry and agentic risk

Overview

This SSH skill is purpose-aligned for server administration, but it recommends an unsafe SSH connection option and asks users to store powerful server credentials through unreviewed helper code.

Review before installing. Prefer SSH keys or an SSH agent, do not use the documented `StrictHostKeyChecking=no` command for normal connections, verify host keys, and inspect or avoid the referenced helper script before entering server passwords. Treat any service, Docker, sudo, or file-changing command as requiring explicit approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation instructs users to connect with `ssh -o StrictHostKeyChecking=no`, which disables SSH host key verification and exposes users to man-in-the-middle attacks. In the context of a remote administration skill, this is especially dangerous because it can lead to credential theft, command interception, or connection to an attacker-controlled host.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.