ssh-tool
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The script uses
child_process.spawnto invoke the system SSH client, enabling the execution of arbitrary commands on remote servers. - [CREDENTIALS_UNSAFE]: The tool accepts a
--passwordcommand-line argument, which results in the SSH password being visible in cleartext in the system's process list (e.g., viapsortop), exposing it to other users and local processes. - [DATA_EXFILTRATION]: The
--keyparameter allows the tool to access any local file path to load SSH private keys, creating a risk where sensitive identity files could be accessed or exfiltrated if the path is controlled by an untrusted source. - [REMOTE_CODE_EXECUTION]: The script explicitly disables SSH host key verification by passing
StrictHostKeyChecking=noandUserKnownHostsFile=/dev/nullto the SSH command. This removes the primary defense against Man-in-the-Middle (MitM) attacks, allowing an attacker to intercept the connection and potentially execute commands on the target host. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it returns raw, unsanitized output from remote commands to the agent context.
- Ingestion points: Remote command output (stdout/stderr) processed in
ssh-tool.js. - Boundary markers: None; raw output is returned without delimiters or instructions to ignore embedded commands.
- Capability inventory: Remote command execution, interactive shell access, and local file reads (via
--key). - Sanitization: No validation or escaping is performed on the data returned from the remote host.
Recommendations
- AI detected serious security threats
Audit Metadata