Skills
skills/rockclaver/systemcraft/server-access/Gen Agent Trust Hub

server-access

Warn

Audited by Gen Agent Trust Hub on Apr 7, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill is designed to read and use sensitive SSH configuration data and private keys from ~/.systemcraft/ssh/creds.yml and ~/.ssh/. It specifically targets credentials for administrative access to servers.
  • [COMMAND_EXECUTION]: The helper script scripts/server_access.py builds and executes shell commands locally using subprocess.run. It uses the StrictHostKeyChecking=accept-new flag in its SSH calls, which automatically trusts new host keys, bypassing a security check and potentially exposing the session to man-in-the-middle attacks.
  • [REMOTE_CODE_EXECUTION]: The inspect subcommand in the helper script allows the agent to execute arbitrary commands on remote servers. The script takes user-provided arguments and wraps them in a bash -lc call on the remote host, providing a direct path for remote code execution.
  • [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection by processing output from remote commands (like docker ps) and returning it to the agent without sanitization.
  • Ingestion points: Remote shell command outputs from scripts/server_access.py.
  • Boundary markers: None identified in the script or skill instructions for separating remote data from agent instructions.
  • Capability inventory: The skill can read local sensitive files (SSH keys/config) and execute arbitrary shell commands on remote servers.
  • Sanitization: No sanitization of remote command output is performed before the agent processes it.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 7, 2026, 10:49 PM