Rssh2 - SSH远程自动化工具
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent SSH automation skill, but it gives an agent broad remote-server control and handles SSH credentials without clear guardrails or host-verification guidance.
Install only if you intentionally want an agent to manage remote machines over SSH. Use a non-root, least-privilege SSH account; verify host fingerprints; avoid passwords when possible; approve each command, file deletion, upload, download, and tunnel; and replace the example host and key path before running any code.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent connects to the wrong or spoofed SSH server, passwords could be exposed and commands could run against an unintended system.
The code uses SSH passwords, private keys, and passphrases, but the reviewed connection setup does not show a hostVerifier, known_hosts check, or fingerprint pinning. For an SSH credential-bearing tool, this leaves host identity validation unclear.
client.connect({
host: this.config.host,
port: this.config.port,
username: this.config.username,
password: this.config.password,
privateKey,
passphrase: this.config.passphrase,Add and document SSH host key verification, such as known_hosts or fingerprint pinning, and require explicit user approval before using new hosts or credentials.
A mistaken or autonomous agent action could alter or delete files, restart services, or disrupt a remote machine.
The documented workflows include arbitrary remote command execution, service restarts, deployment changes, and remote file deletion. These are expected for SSH automation, but the artifacts do not show approval prompts, command/path limits, dry-run behavior, or rollback guidance.
await rssh2.exec('systemctl restart nginx');
...
await rssh2.exec('cd /var/www && unzip -o /tmp/app.zip');
...
#### `delete(path)`
删除文件Use this only with explicit per-action approval for commands, transfers, deletions, and tunnels. Prefer least-privilege SSH accounts and consider adding allowlists or confirmation gates.
Copying the example could cause unintended SSH connection attempts or encourage privileged root access.
The quick-start example uses a specific-looking host, root account, and personal private-key path rather than neutral placeholders. This conflicts with the later safety advice not to use root and could lead users or agents to copy an unsafe example.
host: 'bg.dlna.net', port: 38022, username: 'root', privateKey: '/home/yupeng/.ssh/id_ed25519'
Replace the quick-start values with neutral placeholders such as example.com, a non-root user, and /path/to/key; make least-privilege usage explicit.
Dependency installation may run npm package scripts as part of normal setup.
The ssh2 dependency is purpose-aligned and locked with integrity, but it includes an install script. That is not suspicious by itself, but users should recognize that installing the dependency may execute package install-time code.
"node_modules/ssh2": {
"version": "1.17.0",
"resolved": "https://registry.npmjs.org/ssh2/-/ssh2-1.17.0.tgz",
"integrity": "sha512-wPldCk3asibAjQ/kziWQQt1Wh3PgDFpC0XpwclzKcdT1vql6KeYxf5LIt4nlFkUeR8WuphYMKqUA56X4rjbfgQ==",
"hasInstallScript": trueInstall only from trusted registries, keep the lockfile, and review dependency updates before upgrading.