Trust Assessment
mcp-ssh-manager received a trust score of 64/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 1 high, 3 medium, and 1 low severity. Key findings include Sensitive environment variable access: $HOME, LLM instructed to perform local shell command injection via workdir path construction, Unvalidated server name used in local path construction in `save-status.sh`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | LLM instructed to perform local shell command injection via workdir path construction The `SKILL.md` documentation provides examples of local shell commands for workdir management (e.g., `mkdir -p`, `echo`, output redirection `>`). These examples use placeholders like `{hostname}` and `{YYYY-MM-DD}-{topic}` in file paths. If the host LLM is prompted to execute these commands and substitutes untrusted user input directly into these placeholders without proper sanitization or escaping, it could lead to local command injection or path traversal. For instance, if `{hostname}` contains shell metacharacters (e.g., `foo; rm -rf /`), the LLM might construct and execute a command that performs arbitrary local shell operations on the agent's host machine. The skill documentation should explicitly warn the LLM about sanitizing user input for `{hostname}` and `{YYYY-MM-DD}-{topic}` when constructing local file paths. Alternatively, provide helper functions or tools that safely construct these paths and execute commands, rather than raw shell examples. The `create-workdir.sh` script already performs some validation for `hostname`, which should be consistently applied or referenced. | LLM | SKILL.md:180 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/imaxtomas/mcp-ssh-manager/scripts/create-workdir.sh:31 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/imaxtomas/mcp-ssh-manager/scripts/save-status.sh:36 | |
| MEDIUM | Unpinned external dependency `mcp_servers` in manifest The skill's manifest declares a dependency on `mcp_servers` without specifying a version constraint. This means that any version of `mcp_servers` could be used, potentially introducing breaking changes, vulnerabilities, or unexpected behavior if a new, incompatible, or compromised version is released. This poses a supply chain risk. Pin the version of `mcp_servers` to a specific, known-good version or a version range (e.g., `"mcp_servers": ["ssh-manager==1.2.3"]` or `"mcp_servers": ["ssh-manager>=1.0.0,<2.0.0"]`) to ensure stability and security. | LLM | SKILL.md:4 | |
| LOW | Unvalidated server name used in local path construction in `save-status.sh` The `scripts/save-status.sh` script, when it determines it's not in an existing workdir, constructs a new workdir path using the `$SERVER` variable: `WORKDIR="$HOME/.ssh-workdir/${SERVER}/$(date +%Y-%m-%d)-status"`. The `$SERVER` variable is taken directly from the first argument (`$1`) without validation. While `mkdir -p` is used with quoted arguments, a malicious `SERVER` value containing path traversal sequences (e.g., `foo/../../`) could lead to directories being created in unexpected locations within the `~/.ssh-workdir` base directory. This does not allow escaping the `~/.ssh-workdir` base, but can lead to disorganization or overwriting of other workdir contents. Implement robust validation for the `$SERVER` argument in `scripts/save-status.sh` to prevent path traversal characters (e.g., `/`, `..`) when constructing the workdir path. The validation used in `scripts/create-workdir.sh` for `HOSTNAME` should be applied here. | LLM | scripts/save-status.sh:34 |
Scan History
Embed Code
[](https://skillshield.io/report/7cf0bed3871110be)
Powered by SkillShield