SSH Server
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The SSH purpose is legitimate, but the skill asks users to store server passwords through an unreviewed helper and recommends disabling SSH host verification.
Only install if you are comfortable granting SSH-based access to real servers. Prefer SSH keys over passwords, verify host keys, inspect or avoid the referenced helper before entering credentials, and explicitly approve any command that changes services, containers, files, or server state.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A fake or intercepted server could capture credentials or cause commands to run on the wrong machine.
This recommended SSH command disables host-key verification during a password login, which weakens SSH's protection against connecting to an impersonated server.
ssh -o StrictHostKeyChecking=no user@your-server-ip
Do not disable host-key checking by default; verify and pin the server host key, and require explicit user approval for any exception.
Stored SSH passwords, especially root passwords, could grant full control of a server if mishandled or used without clear boundaries.
The skill asks for high-value server credentials and says they will be stored, but the registry declares no primary credential and the credential-handling code is not provided for review.
Username: root, ubuntu, etc. - Password: (hidden during input, stored securely)
Prefer SSH keys or an SSH agent, avoid storing root passwords, clearly declare the credential requirement, and document exactly how stored credentials are protected and when they are used.
A user may be asked to run unreviewed local code that handles server configuration and passwords.
The core setup flow depends on a helper script that is not included in the reviewed skill files and no install spec is supplied, so its provenance and behavior cannot be verified from the artifacts.
python D:\openClaw\openclaw\config\ssh_config.py add
Include the helper script in the skill package or replace it with standard SSH configuration instructions; ensure any helper code is reviewed, versioned, and limited to the stated purpose.