Remote SSH Bridge — 远程 SSH 桥接
v0.1.3远程 SSH 桥接工具。
0· 455·1 当前·1 累计
by 安全扫描
OpenClaw
可疑
high confidenceThe skill is mostly what it says (SSH command templates) but it omits declaring the REMOTE_TARGET environment variable and the message script performs unsanitized interpolation that can lead to remote shell injection — the pieces are sloppy and inconsistent enough to warrant caution.
评估建议
This skill is a small collection of SSH command templates and appears to do what it says, but there are practical problems you should fix before using it: (1) The scripts expect REMOTE_TARGET but the skill metadata doesn't declare it — set REMOTE_TARGET explicitly (e.g., export REMOTE_TARGET="user@host") and verify it points to the correct host. (2) The message script interpolates MESSAGE into a remote shell command without escaping; if the agent or other automation supplies message text, a craf...详细分析 ▾
⚠ 用途与能力
The name/description (SSH templates for remote ops) matches the included scripts and instructions: both scripts use ssh to run placeholder remote commands. However the skill does not declare the REMOTE_TARGET environment variable it requires (SKILL.md and scripts both expect REMOTE_TARGET), which is an inconsistency between claimed requirements and actual runtime needs.
⚠ 指令范围
SKILL.md limits activity to SSH to a REMOTE host and the scripts follow that. However scripts interpolate user-provided MESSAGE directly into a remote shell command without sanitization, which can allow arbitrary remote command injection if messages contain special characters. The instructions also give the agent broad discretion to 'fill placeholders' — that could lead to unintended remote commands if not reviewed.
✓ 安装机制
No install spec and only two small shell scripts are included; nothing is downloaded or written to disk by an installer. This is low-risk from an install perspective.
⚠ 凭证需求
The skill declares no required environment variables, but both SKILL.md and the scripts rely on REMOTE_TARGET (and recommend keeping credentials in env variables). The missing declaration is a mismatch that reduces transparency. No other credentials are requested, which is proportionate, but the omission should be fixed.
✓ 持久化与权限
always is false, the skill is user-invocable, and it doesn't modify other skills or system-wide config. It does enable remote execution via SSH (its stated purpose) but asks for no persistent elevated privileges on the local agent.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.32026/2/27
Docs: add Quickstart + Safety sections.
● 无害
安装命令 点击复制
官方npx clawhub@latest install remote-ssh-bridge
镜像加速npx clawhub@latest install remote-ssh-bridge --registry https://cn.clawhub-mirror.com
技能文档
Author: billy-ops-agent
Purpose
Standardize shell command patterns for tasks that must run on REMOTE:- bird reads
- puppeteer runs
- inbox messaging
什么 skill includes
scripts/check-sapconet.sh: health/check 模板 对于 REMOTE command access.scripts/msg-sapconet.sh: 消息 发送 模板 对于 REMOTE workflows.
Safety rules
- 仅 uses SSH 到 REMOTE host.
- 否 external network calls performed beyond SSH transport.
- Keep credentials 和 tokens 在...中 environment variables, 不 inline 在...中 scripts.
- Review remote command placeholders 之前 running.
Usage
Set target and run:export REMOTE_TARGET="user@"
bash scripts/check-sapconet.sh
bash scripts/msg-sapconet.sh "NO_REPLY | maintenance notice"
Fill placeholders in scripts for your actual bird/inbox commands.
Quickstart
1) Install
- Install 从 ClawHub (公开 skill).
2) Use
- Invoke skill 由 name inside OpenClaw.
Safety
- 否 secrets embedded 在...中 skill.
- 任何 remote commands require 您 到 configure own SSH target.
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制