Security Audit
SSH Penetration Testing
github.com/davila7/claude-code-templatesTrust Assessment
SSH Penetration Testing received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 16 findings: 7 critical, 6 high, 2 medium, and 1 low severity. Key findings include File read + network send exfiltration, Sensitive path access: SSH key/config, Network egress to untrusted endpoints.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings16
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | cli-tool/components/skills/security/ssh-penetration-testing/SKILL.md:177 | |
| CRITICAL | File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | cli-tool/components/skills/security/ssh-penetration-testing/SKILL.md:180 | |
| CRITICAL | File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | cli-tool/components/skills/security/ssh-penetration-testing/SKILL.md:281 | |
| CRITICAL | File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | cli-tool/components/skills/security/ssh-penetration-testing/SKILL.md:303 | |
| CRITICAL | File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | cli-tool/components/skills/security/ssh-penetration-testing/SKILL.md:304 | |
| CRITICAL | File read + network send exfiltration SSH key/config file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | cli-tool/components/skills/security/ssh-penetration-testing/SKILL.md:307 | |
| CRITICAL | Skill contains commands that could exfiltrate LLM's sensitive data The 'Post-Exploitation' phase of the skill includes numerous shell commands (e.g., `find / -name "id_rsa"`, `cat ~/.ssh/known_hosts`, `cat ~/.bash_history`) intended to discover sensitive information on a compromised target. If an AI agent were to interpret these instructions as commands to execute within its own operating environment, it could lead to the exfiltration of the agent's own private keys, SSH configurations, command history, and other sensitive files. Implement strict sandboxing and context awareness for the AI agent. Ensure the agent cannot execute these commands on its own host system. If the agent is meant to interact with a target, ensure clear separation and explicit targeting. Add warnings within the skill that these commands are for *target* systems only. | LLM | SKILL.md:257 | |
| HIGH | Sensitive path access: SSH key/config Access to SSH key/config path detected: '~/.ssh/id_rsa'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | cli-tool/components/skills/security/ssh-penetration-testing/SKILL.md:177 | |
| HIGH | Sensitive path access: SSH key/config Access to SSH key/config path detected: '~/.ssh/id_ed25519'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | cli-tool/components/skills/security/ssh-penetration-testing/SKILL.md:180 | |
| HIGH | Sensitive path access: SSH key/config Access to SSH key/config path detected: '~/.ssh/config'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | cli-tool/components/skills/security/ssh-penetration-testing/SKILL.md:281 | |
| HIGH | Sensitive path access: SSH key/config Access to SSH key/config path detected: '~/.ssh/authorized_keys'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | cli-tool/components/skills/security/ssh-penetration-testing/SKILL.md:304 | |
| HIGH | Sensitive path access: SSH key/config Access to SSH key/config path detected: '~/.ssh/authorized_keys'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | cli-tool/components/skills/security/ssh-penetration-testing/SKILL.md:307 | |
| HIGH | Python script demonstrates pattern vulnerable to command injection on target The provided Python script includes an `execute_command` function that directly passes a `command` string to `paramiko.SSHClient().exec_command()`. While the example usage hardcodes the command, if an AI agent were to construct this `command` string based on unsanitized user input, it could lead to command injection on the remote SSH target. This pattern teaches a potentially unsafe way to execute commands if not handled carefully. Advise against directly concatenating untrusted input into commands. Recommend using parameterized commands if the SSH library supports it, or robust input sanitization/whitelisting for commands generated from user input. For `paramiko.exec_command`, ensure the `command` argument is always from a trusted source or strictly validated. | LLM | SKILL.md:300 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Skill requires broad system and network execution permissions The 'SSH Penetration Testing' skill, by its very nature, requires the ability to execute a wide array of powerful system and network tools (e.g., `nmap`, `hydra`, `medusa`, `msfconsole`, `ssh`, `curl`, `find`, `cat`, `sudo`). Granting an AI agent the capability to run these commands without strict sandboxing and oversight poses a significant security risk, as it allows for extensive network interaction, potential system modification, and data access. Implement a robust execution environment for the AI agent that strictly limits its access to system resources and network interfaces. Use sandboxing, containerization, and fine-grained permission controls. Ensure human oversight and approval for sensitive operations. The agent should only be allowed to execute these tools in a controlled, isolated, and explicitly authorized penetration testing environment. | LLM | SKILL.md:1 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/1516e4f79577e766)
Powered by SkillShield