The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill documentation encourages and facilitates the storage of sensitive authentication credentials in a predictable local file.
It references a configuration file at ~/.claude/ssh-targets.json that stores hostnames, usernames, and plaintext passwords.
It explicitly points to sensitive file paths for authentication, such as ~/.ssh/id_rsa.
[COMMAND_EXECUTION]: The primary purpose of the skill is to execute arbitrary shell commands on remote hosts.
It provides examples using sudo for administrative actions.
It includes specific instructions for establishing persistence on remote systems using systemd-run and nohup to keep processes running after the SSH session closes.
[PROMPT_INJECTION]: The skill contains instructions that attempt to control the agent's operational logic and creates a surface for indirect attacks.
Workflow Override: It mandates a specific execution chain (planning → gm-execute → gm-emit → gm-complete → update-docs) and the use of subagents, overriding the agent's default task handling.
Indirect Injection Surface:
Ingestion points: The exec:ssh tool accepts arbitrary shell commands as input from the agent's context (SKILL.md).
Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands within processed data.
Capability inventory: Remote shell execution, privilege escalation (sudo), and process persistence mechanisms.
Sanitization: Absent. The skill does not describe any validation or escaping of the command string before execution.
[EXTERNAL_DOWNLOADS]: The skill requires the ssh2 npm package to be installed manually by the user using npm install.

ssh