ssh-manager
Warn
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides scripts (
connect.sh,exec.sh,tunnel.sh) that use the local shell to launch SSH sessions and execute commands on remote systems. - [COMMAND_EXECUTION]: All SSH implementations in the skill explicitly disable host key verification using
-o StrictHostKeyChecking=noand-o UserKnownHostsFile=/dev/null. This bypasses a fundamental security feature of SSH designed to prevent Man-in-the-Middle (MITM) attacks. - [REMOTE_CODE_EXECUTION]: The skill includes a dedicated script (
exec.sh) and instructions for executing arbitrary commands on remote hosts, which constitutes a significant remote code execution surface. - [DATA_EXFILTRATION]: The skill discloses internal network configuration details, including specific Tailscale IP addresses and hostnames, exposing the structure of the user's private infrastructure.
- [DATA_EXFILTRATION]: The documentation references sensitive file paths such as
~/.ssh/configand~/.ssh/known_hosts, which contain metadata about existing remote connections and trust relationships. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface.
- Ingestion points: Data is ingested from
tailscale statusoutput across SKILL.md, connect.sh, and check-host.sh. - Boundary markers: None present; the agent parses the command output directly without explicit delimiters or instructions to ignore embedded content.
- Capability inventory: Includes local subprocess execution (ping, tailscale, lsof) and remote execution via SSH (connect.sh, exec.sh).
- Sanitization: No input validation or escaping is performed on hostnames or IP addresses retrieved from external commands before they are used in shell commands.
Audit Metadata