ssh-remote-connection
Warn
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/connect.shallows for the execution of arbitrary bash commands on a remote server, which is the primary function of the skill. - [REMOTE_CODE_EXECUTION]: The skill facilitates the execution of code on remote infrastructure. The safety of this operation depends entirely on the integrity of the remote environment and the user's configuration.
- [CREDENTIALS_UNSAFE]: The skill handles sensitive SSH credentials through environment variables and
.envfiles. - Evidence: The script
scripts/connect.shuses the-Aflag with thesshcommand, enabling SSH Agent Forwarding. This allows the remote host to access the local SSH agent. If the remote server is compromised, an attacker could use this access to authenticate to other servers as the user. - Evidence: The script uses
expectto automatessh-add, passing theSSH_KEY_PASSWORDvariable into a spawned process. Depending on the environment's process logging, this could expose the passphrase to other users on the system. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it ingests and processes untrusted data from remote servers.
- Ingestion points:
scripts/connect.shcaptures and returns the standard output and error from remote SSH commands to the agent (e.g., reading server logs viadocker compose logs). - Boundary markers: No boundary markers or delimiters are used to wrap the remote content or warn the agent to ignore instructions embedded in the output.
- Capability inventory: The skill includes the capability to execute shell commands and manage Docker containers via
sshinscripts/connect.sh. - Sanitization: No sanitization or filtering of the remote command output is performed before it is provided to the agent.
Audit Metadata