ClawHub

skill-cross-agent-v1.0.0.tar

Security checks across malware telemetry and agentic risk

Overview

The skill is a real SSH-based cross-machine helper, but it needs review because it stores SSH passwords plainly, disables SSH host verification, and enables remote commands and file transfers.

Install only if you trust the target machines and network, understand that it can execute commands and move files over SSH, and are comfortable reviewing the scripts first. Prefer SSH keys and normal host-key verification, avoid saving passwords with this skill, and do not use it on networks or machines you are not authorized to administer.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (21)

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as simple cross-machine Agent collaboration, but the documented capabilities go significantly further: LAN scanning, arbitrary remote command execution, remote file upload/download, session enumeration, and storing default credentials including passwords. This mismatch is dangerous because users may authorize the skill without understanding it enables lateral movement, data transfer, and broad remote control across other machines on the network.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script writes `default_pass` directly into `${HOME}/.config/openclaw/cross-agent.conf` in plaintext, creating a recoverable local credential store for SSH access. In the context of a cross-agent SSH orchestration skill, this is especially sensitive because compromise of the local user account, backups, logs, or misconfigured file permissions could expose credentials that enable lateral movement to other OpenClaw instances on the LAN.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script disables SSH host key verification with StrictHostKeyChecking=no and discards known-host tracking via UserKnownHostsFile=/dev/null, so it will trust any host claiming to be the target IP. In a LAN file-transfer tool, this makes man-in-the-middle or host impersonation attacks much easier, allowing an attacker to capture credentials and receive transferred files intended for another OpenClaw instance.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script automatically reads SSH username and password from a local config file and uses them for authentication, which expands the skill from simple task forwarding into credential handling and secret use. In this cross-agent context, that increases risk because the skill is designed to connect to other machines, so stored credentials may be reused silently and exposed through weak local file permissions, accidental disclosure, or misuse by anyone able to invoke the script.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script explicitly disables SSH host key verification with `StrictHostKeyChecking=no` and discards known-host state via `UserKnownHostsFile=/dev/null`. That makes connections unauthenticated and enables man-in-the-middle interception of the remote session, which is especially dangerous here because the same command also supplies credentials for an automated cross-machine admin workflow.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The wizard performs privileged package installation with sudo as part of normal setup, which exceeds the narrowly expected behavior of a connectivity helper and changes the host system without explicit approval. While not inherently malicious, automatically invoking package management increases attack surface and can be abused in environments where users do not expect the skill to request elevated privileges.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises capabilities for network scanning, SSH credential testing, remote task dispatch, file transfer, and command execution without any guardrails, authorization requirements, or safety warnings. In a cross-agent skill, these features materially increase misuse potential because they enable lateral movement and remote control across machines if users apply them to systems they do not own or if weak credentials are used.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation encourages sending usernames, passwords, tasks, and files to other machines over SSH but does not warn users about credential handling, trust boundaries, or the sensitivity of data being transmitted. In this context, omission of these warnings increases the chance of unsafe use, credential reuse exposure, and accidental transmission of sensitive task data to untrusted hosts.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill exposes remote command execution and remote file transfer but does not prominently warn that these features can modify remote systems, exfiltrate data, or be abused for unauthorized operations. Given the skill's purpose is cross-host control, this omission is especially risky because it normalizes high-impact actions without appropriate user caution or constraints.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script stores a password in plaintext without any warning, confirmation, or protective handling, which increases the chance users will unknowingly persist sensitive SSH credentials in an insecure location. Because this skill is designed for cross-machine coordination over SSH, leaked credentials could let an attacker authenticate to peer agents and expand access across the environment.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script explicitly disables SSH host key verification with StrictHostKeyChecking=no and discards known hosts via UserKnownHostsFile=/dev/null, which removes SSH's protection against man-in-the-middle attacks. Because this skill is designed for cross-machine command execution over a LAN and also transmits a password to sshpass, an attacker who can intercept or spoof the target host could capture credentials and execute attacker-controlled remote sessions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script supports password-based authentication and sources the password from a local config file, which encourages storage and reuse of plaintext credentials. In a cross-machine agent skill, this increases the chance of credential disclosure through filesystem access, process inspection, logs, or accidental sharing, enabling unauthorized access to peer OpenClaw instances.

Missing User Warnings

High
Confidence
99% confidence
Finding
Disabling StrictHostKeyChecking and writing known hosts to /dev/null completely removes SSH server identity verification, making man-in-the-middle interception trivial on the LAN or any routed network path. Because this skill is explicitly designed for cross-agent task distribution across machines, the context makes the issue more dangerous: compromised transfers could expose files, credentials, or allow connection to an attacker-controlled host posing as a trusted peer.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script uses sshpass -p with a password sourced from arguments or a local config file, which exposes credentials to process inspection, shell history, and interception if combined with the disabled host verification above. In this skill's cross-machine agent context, the password is reused to authenticate to other OpenClaw instances, so compromise can lead to lateral movement across systems rather than a single failed transfer.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This script performs a full /24 LAN host discovery and then probes a specific service port on every responsive host without any confirmation, authorization check, rate limiting, or warning to the operator. In a cross-agent skill whose purpose is to discover other OpenClaw instances over SSH/LAN, this behavior increases the risk of unauthorized reconnaissance, policy violations, and accidental scanning of networks the user did not intend to probe.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script reads credentials from a local config file and immediately uses them for SSH authentication without clearly informing the user that sensitive secrets are being consumed. That is risky because operators may not realize passwords are stored and reused automatically, and in a cross-machine orchestration skill this makes unintended lateral access easier if the invoking environment is compromised.

Missing User Warnings

High
Confidence
99% confidence
Finding
The SSH invocation disables host key verification with StrictHostKeyChecking=no and writes known hosts to /dev/null, eliminating server identity validation. This enables man-in-the-middle attacks where an attacker on the LAN can impersonate the target OpenClaw instance, capture the supplied password, and receive or alter the forwarded task, which is especially dangerous given the skill's purpose of cross-machine agent coordination.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script reads a stored password from configuration and passes it to `sshpass` for unattended login, while also disabling host verification. This combination exposes reusable credentials to interception and increases the blast radius of configuration theft, process inspection, accidental logging, or MITM attacks against the target OpenClaw instance.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script automatically reads stored SSH credentials, including a plaintext password, from a user config file and immediately uses them for network authentication. In the context of a cross-machine orchestration skill, this increases the risk of unintended credential use, silent lateral movement, and exposure of sensitive secrets if the file permissions or calling context are weak.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically runs sudo apt update && sudo apt install -y sshpass without advance warning or confirmation, causing unexpected privileged system changes. In a security-sensitive tool, silent installation behavior undermines informed consent and can normalize unsafe elevation patterns.

Missing User Warnings

High
Confidence
98% confidence
Finding
The wizard collects a plaintext SSH password, passes it as a command-line argument to another script, and optionally saves it as a default configuration. Command-line arguments and stored plaintext credentials may be exposed via process listings, shell history in downstream scripts, logs, or insecure config files, making credential theft significantly more likely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal