ssh-tunnel
Fail
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Persistence Mechanisms (HIGH): The skill documentation specifies that the installation process automatically sets up a macOS LaunchAgent to ensure a background menu bar application starts automatically on login, maintaining persistence.
- Unverifiable Dependencies (MEDIUM): The skill relies on @statechange/ssh-tunnel-manager, a third-party package from the npm registry that is not part of the trusted organization list.
- Remote Code Execution (HIGH): The instructions direct the agent to execute code from the untrusted package via
npx electron, which runs an external application. - Indirect Prompt Injection (LOW): The skill lacks sanitization for user-provided parameters like hostnames and usernames before interpolating them into shell commands. Evidence: 1. Ingestion points: --host, --user, and port flags in the
ssh-tunnels addcommand. 2. Boundary markers: None present to distinguish data from instructions. 3. Capability inventory: Execution of npm and shell-based CLI commands. 4. Sanitization: None visible in the provided Markdown instructions.
Recommendations
- AI detected serious security threats
Audit Metadata