Pluginv1.1.0

ClawScan security

SSH Tools · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 31, 2026, 7:16 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to implement SSH diagnostics (expected) but contains multiple inconsistencies between its description, runtime instructions, and included code (mismatched file paths, undeclared required binaries, and a promised /ssh_setup command that is not implemented).
Guidance: This plugin is plausibly doing what it says — checking SSH keys and attempting an SSH connection to github.com — but there are several inconsistencies you should resolve before trusting it in production. Actions to consider: - Confirm which path the plugin will actually check in your deployment: SKILL.md example (/home/node/.ssh), shell script (/root/.openclaw/workspace/.ssh), and TypeScript (~/.ssh) disagree. Keys mounted via K8s Secrets must match the path the running code checks. - Ensure openssh-client (ssh, ssh-keygen) is available to the runtime environment; the manifest doesn't declare these binaries even though the code calls them. - Note the plugin will read your private key files and attempt an outbound SSH connection to git@github.com. This is expected for a connectivity check, but if you do not want your private keys read by the plugin, do not mount them into the same path or run the plugin. - Ask the maintainer to fix the documentation/manifest mismatch (remove mention of /ssh_setup if not implemented, or implement it), and to standardize the checked path. - If you want to be cautious, run the plugin in an isolated/test environment first and inspect its output and network activity. If anything else in the environment would be sensitive (other credentials, tokens, or other users' keys), avoid mounting them while testing. Confidence: high that these inconsistencies exist; there is no evidence of deliberate exfiltration in the code, but the mismatches increase risk of accidental misconfiguration or unexpected file access.

Review Dimensions

Purpose & Capability: concernThe declared purpose (SSH key diagnostics) matches the code's behavior overall, but openclaw.plugin.json claims the plugin provides both /ssh_setup and /ssh_check while index.ts only registers /ssh_check. The README and SKILL.md also reference K8s Secret mounting examples using /home/node/.ssh, but the shipped implementations target different paths — the shell script uses /root/.openclaw/workspace/.ssh and the TypeScript uses the process user's homedir (~/.ssh). That mismatch between claimed commands and actual handlers is incoherent and could cause confusion or incorrect assumptions about where keys are read/written.
Instruction Scope: concernSKILL.md and README describe mounting keys via K8s Secret and call out ssh/ssh-keygen usage. The included code reads local SSH files and invokes ssh to git@github.com (network activity to GitHub) which is consistent with 'GitHub connectivity' testing. However, the instruction materials reference /home/node/.ssh/id_ed25519 while the shell script and TS implementation use different directories, meaning the runtime behavior could differ from user expectations. The code reads private key and known_hosts files (expected for diagnostics) but does not exfiltrate them; it does run network connectivity to github.com (expected for the stated check).
Install Mechanism: okThere is no install spec (instruction-only install), which is the lower-risk option. All code is bundled in the plugin and there are no external downloads or extract steps. The only external dependencies are runtime binaries (ssh, ssh-keygen) invoked at runtime rather than fetched during install.
Credentials: noteThe skill declares no required environment variables or credentials, which aligns with a local-diagnostics tool. However, SKILL.md/README mention the requirement of openssh-client (ssh, ssh-keygen) but the registry metadata declared no required binaries — a documentation/manifest mismatch. The code legitimately reads files under the user's home .ssh (private key, public key, known_hosts). That file access is proportionate to the stated purpose, but users should be aware the plugin will read private key files present in the inspected paths.
Persistence & Privilege: okThe plugin does not request 'always: true' or any elevated persistent privileges, and it doesn't modify other plugins or system-wide settings. It only runs when invoked and performs diagnostics, so persistence/privilege level is appropriate.