Is imaxtomas/mcp-ssh-manager safe?
https://github.com/openclaw/skills/tree/main/skills/imaxtomas/mcp-ssh-manager
The imaxtomas/mcp-ssh-manager skill is a legitimate SSH management workflow guide containing clean documentation and benign helper scripts with no prompt injection, hidden instructions, or malicious executable code. Installation behavior was normal, canary files were unmodified, and network activity was limited to the expected GitHub clone. The primary concerns are inherent to the skill's broad capability surface: it enables privileged remote command execution (sudo), unrestricted file transfers, SSH tunnel creation, and instructs the agent to build a persistent local data store of server operational intelligence in ~/.ssh-workdir/. No active malicious intent was detected.
Category Scores
Findings (7)
MEDIUM Persistent Server Data Accumulation in ~/.ssh-workdir/ -20 ▶
The skill systematically instructs the agent to store SSH operation results, server health snapshots (status.json), command outputs, and configuration data in a persistent local directory tree (~/.ssh-workdir/{hostname}/{date}-{topic}/). Over extended use this creates a local intelligence repository of sensitive server information. The Best Practices section actively encourages comparison of historical snapshots, meaning the data is intended to grow and persist indefinitely.
LOW Privileged Remote Command Execution via ssh_execute_sudo -15 ▶
The skill explicitly documents and provides examples for ssh_execute_sudo, which executes commands with root/sudo privileges on remote servers. This is presented as a routine operation alongside non-privileged commands. The troubleshooting and deployment examples include service restarts, configuration file modifications, and permission changes on remote systems.
LOW Unrestricted Remote File Download Capability -5 ▶
The skill documents ssh_download and ssh_sync with examples that transfer files from arbitrary remote paths to local storage. While shown with log files, the tool accepts any remotePath parameter. The deployment example shows uploading/downloading application tarballs, and the troubleshooting example retrieves config files from /etc paths.
LOW SSH Tunnel Creation Enables Persistent Internal Network Access -15 ▶
The skill includes a dedicated tunneling section with instructions for creating local and remote port forwards. The database access example (tunneling port 5432) demonstrates a pattern for accessing services on internal networks that would otherwise be unreachable. An active tunnel persists until explicitly closed via ssh_tunnel_close.
LOW Shell Helper Scripts Included in Skill Package -13 ▶
Three shell scripts are bundled with the skill. They perform file system operations consistent with the skill's documented purpose (creating directory structures, logging commands, saving status snapshots). They do not auto-execute during installation but are referenced in SKILL.md as part of recommended workflows, meaning the agent may execute them at user request.
INFO Canary Files Read-Only Accessed by Monitoring Framework Pre/Post Audit -5 ▶
Filesystem monitoring captured access events for all six honeypot credential files at two timestamps. The first set (1771905407.426 / inotify 03:56:47) precedes the skill installation git clone by approximately 5 seconds (clone began at 1771905412.968 / 03:56:52), placing the access firmly within the Oathe monitoring setup phase. The second set (1771905424.422) aligns with the post-audit canary verification phase. All inotify events record CLOSE_NOWRITE,CLOSE confirming no data was written or modified. Canary integrity check independently confirmed all files intact.
INFO Installation Connected Only to GitHub as Expected -8 ▶
The only external network connection made during skill installation was to GitHub's IP (140.82.121.3:443) for the git sparse-checkout clone operation. The pre-existing Ubuntu/Canonical connection (185.125.188.58:443) was established before the skill install began. Post-installation connection diff shows a clean state with no new persistent outbound connections.