ssh-lab Security Report — Trusted | ClawSafe

5 /100

ssh-lab

Remote server SSH workbench — GPU status, run commands, tail logs, compare hosts, manage alerts across multiple servers

A legitimate SSH workbench for remote GPU server management with no security concerns — uses native SSH child_process, zero runtime dependencies, and all functionality is accurately documented.

Skill Namessh-lab

Duration57.1s

Enginepi

✓

Safe to install

This skill is safe to use. No action required.

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md line 'SSH via child_process: Uses native ssh'
Filesystem	`READ`	`READ`	✓ Aligned	src/ssh/config.ts:11 reads ~/.ssh/config
Network	`READ`	`READ`	✓ Aligned	SSH connections only to configured hosts via ssh binary
Environment	`NONE`	`NONE`	—	Only reads $HOME, $USER, $XDG_CONFIG_HOME for path resolution

File Tree

39 files · 130.5 KB · 4150 lines

TypeScript 32f · 3679L Markdown 2f · 279L JSON 5f · 192L

├─ ▾ 📁 src

│ ├─ ▾ 📁 alerts

│ │ ├─ 📜 rules.ts TypeScript 136L · 4.8 KB

│ │ └─ 📜 state.ts TypeScript 70L · 1.9 KB

│ ├─ ▾ 📁 commands

│ │ ├─ 📜 add.ts TypeScript 56L · 1.3 KB

│ │ ├─ 📜 alert.ts TypeScript 145L · 4.7 KB

│ │ ├─ 📜 compare.ts TypeScript 220L · 6.4 KB

│ │ ├─ 📜 df.ts TypeScript 89L · 2.5 KB

│ │ ├─ 📜 doctor.ts TypeScript 127L · 4.9 KB

│ │ ├─ 📜 hosts.ts TypeScript 28L · 1.0 KB

│ │ ├─ 📜 ls.ts TypeScript 122L · 3.6 KB

│ │ ├─ 📜 run.ts TypeScript 72L · 2.2 KB

│ │ ├─ 📜 status.ts TypeScript 194L · 6.7 KB

│ │ ├─ 📜 sync.ts TypeScript 112L · 3.5 KB

│ │ ├─ 📜 tail.ts TypeScript 86L · 2.1 KB

│ │ └─ 📜 watch.ts TypeScript 114L · 3.6 KB

│ ├─ ▾ 📁 output

│ │ └─ 📜 formatter.ts TypeScript 38L · 1.2 KB

│ ├─ ▾ 📁 probes

│ │ ├─ 📜 disk.ts TypeScript 49L · 1.4 KB

│ │ ├─ 📜 gpu.ts TypeScript 131L · 3.9 KB

│ │ ├─ 📜 index.ts TypeScript 18L · 598 B

│ │ └─ 📜 process.ts TypeScript 73L · 1.9 KB

│ ├─ ▾ 📁 ssh

│ │ ├─ 📜 config.ts TypeScript 187L · 5.5 KB

│ │ ├─ 📜 exec.ts TypeScript 253L · 9.0 KB

│ │ └─ 📜 pool.ts TypeScript 29L · 878 B

│ ├─ ▾ 📁 types

│ │ └─ 📜 index.ts TypeScript 236L · 5.5 KB

│ ├─ 📜 cli.ts TypeScript 409L · 14.4 KB

│ └─ 📜 index.ts TypeScript 51L · 1.5 KB

├─ ▾ 📁 test

│ ├─ 📜 alerts.test.ts TypeScript 135L · 4.5 KB

│ ├─ 📜 cli.test.ts TypeScript 105L · 3.0 KB

│ ├─ 📜 compare.test.ts TypeScript 102L · 3.9 KB

│ ├─ 📜 gpu.test.ts TypeScript 125L · 3.9 KB

│ ├─ 📜 heartbeat.test.ts TypeScript 52L · 1.7 KB

│ ├─ 📜 pool.test.ts TypeScript 50L · 1.7 KB

│ └─ 📜 ssh.test.ts TypeScript 65L · 2.0 KB

├─ 📋 package-lock.json JSON 54L · 1.5 KB

├─ 📋 package.json JSON 43L · 892 B

├─ 📝 README.md Markdown 108L · 3.3 KB

├─ 📋 skill.json JSON 69L · 2.6 KB

├─ 📝 SKILL.md Markdown 171L · 6.0 KB

├─ 📋 tsconfig.json JSON 19L · 454 B

└─ 📋 tsconfig.test.json JSON 7L · 122 B

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`@types/node`	`^25.4.0`	npm devDependencies	No	Development only, not bundled
`typescript`	`^5.9.3`	npm devDependencies	No	Development only, not bundled

Security Positives

✓ Zero runtime dependencies — only TypeScript devDependencies (@types/node)

✓ All subprocess usage documented: native ssh binary via child_process spawn

✓ SSH ControlMaster reuses existing connections — no credential re-entry needed

✓ No external network requests beyond configured SSH hosts

✓ No credential harvesting, exfiltration, or sensitive file access

✓ No obfuscation, base64 encoding, or anti-analysis patterns

✓ Atomic file writes for state files (temp → rename pattern in alerts/state.ts)

✓ StrictHostKeyChecking=accept-new for security-conscious host key verification

✓ BatchMode=yes prevents interactive password prompts

✓ Config stored in XDG-compliant ~/.config/ssh-lab/ (not hardcoded paths)

Scan Report

File Tree

Dependencies 2 items

Security Positives