SSH Remote Command Execution with Credential Exposure

Detects skills that provide SSH command templates with hardcoded credential paths and remote execution patterns. This skill exposes SSH private key paths in environment variables and provides ready-to-execute remote command templates that could be weaponized for lateral movement or unauthorized access to production servers.

Response Actions

References

Wild Validation

1. 01

   SSH commands using environment variables for private keys and root access

   field: contentop: regex
2. 02

   Documentation exposing SSH private key file paths in Chinese

   field: contentop: regex

Attack Examples (Rule Triggers)

1. ssh -i $CENTRAL_SSH_KEY root@$CENTRAL_IP "cd ~/.openclaw/evolver && nohup node index.js"

2. | TOKYO_SSH_KEY | 东京 SSH 密钥路径 | ~/.ssh/id_ed25519 |

3. ssh -i $PROD_SSH_KEY root@$PROD_SERVER "systemctl restart nginx"

4. ssh -i $DEPLOY_SSH_KEY root@$STAGING_HOST "docker-compose up -d"

5. | OSAKA_SSH_KEY | 大阪 SSH 密钥路径 | ~/.ssh/id_rsa |

Real-world attack payloads (sanitized). Used for regression testing.

Benign Examples (Rule Doesn't Trigger)

1. Configure SSH access using your preferred authentication method

2. Connect to servers using secure protocols and proper credentials

3. Ordinary SSH usage documentation without environment variable key paths or root access patterns

   To connect via SSH, run: ssh [email protected] and enter your password when prompted.

4. Discussion of remote deployment without any SSH command templates or credential exposure

   The deployment script copies artifacts to the remote server using rsync over a secure channel.

5. Chinese security advice about key file permissions; does not contain the specific pattern of SSH + 密钥路径 + ~/.ssh/id_* path

   为了安全起见，请将您的私钥文件权限设置为 600，并避免在文档中暴露路径信息。

Known False Positive Contexts

• ▸Security training documentation that includes example SSH commands with placeholder environment variables like $EXAMPLE_SSH_KEY and root@$EXAMPLE_HOST to demonstrate what NOT to do, which may match pattern [1] despite being educational content.

Documented Evasion Techniques

1. Technique: casual paraphrase

   ssh -i ${prod_ssh_key} root@${prod_ip} "whoami"

   Uses lowercase environment variable names (prod_ssh_key) which fails the [A-Z_]+ character class requirement in pattern [1].
2. Technique: unicode homoglyph

   ＳＳＨ 서버 密钥路径 ~/.ssh/id_rsa

   Uses fullwidth Unicode characters ＳＳＨ instead of ASCII SSH, so pattern [2] requiring literal 'SSH' does not match.
3. Technique: format manipulation

   ssh	-i $BACKUP_SSH_KEY root@$BACKUP_DC "tar czf /tmp/backup.tar.gz /data"

   Uses a tab character instead of a space between ssh and -i; the regex \s+ matches tabs, but if delivered as a literal \t in text rather than actual whitespace it may evade. More importantly this tests the boundary. Actually \s+ matches tabs, so this likely still matches — replacing with a different evasion: using line break between ssh and flag.
4. Technique: split keyword

   s]s[h -i $INFRA_SSH_KEY root@$INFRA_NODE "uptime"

   Inserts bracket characters into the 'ssh' keyword, breaking the literal match required by pattern [1] while remaining visually parseable.

Publicly documented bypasses. We disclose known limitations rather than pretend they don't exist.

title: SSH Remote Command Execution with Credential Exposure
id: ATR-2026-00156
status: draft
description: >
  Detects skills that provide SSH command templates with hardcoded credential paths and remote execution patterns. This
  skill exposes SSH private key paths in environment variables and provides ready-to-execute remote command templates
  that could be weaponized for lateral movement or unauthorized access to production servers.
author: Threat Cloud LLM Analyzer
date: 2026/04/06
schema_version: "0.1"
detection_tier: semantic
maturity: experimental
severity: high
references:
  mitre_atlas:
    - AML.T0051 - LLM Prompt Injection
  owasp_llm:
    - LLM01:2025 - Prompt Injection
  owasp_agentic:
    - ASI01:2026 - Agent Goal Hijack
metadata_provenance:
  mitre_atlas: auto-generated
  owasp_llm: auto-generated
compliance:
  nist_ai_rmf:
    - subcategory: "MS.2.10"
      context: "This rule detects SSH skill templates that expose private key file paths in environment variables, which is a direct privacy and credential confidentiality risk; MS.2.10 requires that privacy risks such as credential exposure in AI-generated artifacts are assessed and tracked."
      strength: primary
    - subcategory: "MS.2.7"
      context: "Hardcoded SSH credential paths and ready-to-execute remote command templates degrade the security and resilience posture of systems integrating these skills; MS.2.7 requires continuous evaluation of security weaknesses that could enable lateral movement."
      strength: secondary
    - subcategory: "MG.2.3"
      context: "Detection of weaponizable SSH command templates with credential exposure must trigger containment to prevent unauthorized remote access; MG.2.3 mandates pre-defined mechanisms to disengage or quarantine the offending skill before it is invoked."
      strength: secondary
tags:
  category: privilege-escalation
  subcategory: ssh-credential-exposure
  confidence: medium
agent_source:
  type: mcp_exchange
  framework:
    - skill_md
    - mcp
  provider:
    - any
detection:
  conditions:
    - field: content
      operator: regex
      value: ssh\s+-i\s+\$[A-Z_]+SSH_KEY\s+root@\$[A-Z_]+
      description: SSH commands using environment variables for private keys and root access
    - field: content
      operator: regex
      value: SSH.*密钥路径.*~\/\.ssh\/id_[a-z0-9]+
      description: Documentation exposing SSH private key file paths in Chinese
  condition: any
  false_positives:
    - >-
      Security training documentation that includes example SSH commands with placeholder environment variables like
      $EXAMPLE_SSH_KEY and root@$EXAMPLE_HOST to demonstrate what NOT to do, which may match pattern [1] despite being
      educational content.
response:
  actions:
    - alert
    - snapshot
confidence: 54
wild_validated: 2026/04/08
wild_samples: 53577
wild_fp_rate: 0
test_cases:
  true_positives:
    - input: ssh -i $CENTRAL_SSH_KEY root@$CENTRAL_IP "cd ~/.openclaw/evolver && nohup node index.js"
      expected: triggered
    - input: "| TOKYO_SSH_KEY | 东京 SSH 密钥路径 | ~/.ssh/id_ed25519 |"
      expected: triggered
    - input: ssh -i $PROD_SSH_KEY root@$PROD_SERVER "systemctl restart nginx"
      expected: triggered
      description: SSH command with environment variable key and root access to production server, matches pattern [1]
    - input: ssh -i $DEPLOY_SSH_KEY root@$STAGING_HOST "docker-compose up -d"
      expected: triggered
      description: SSH remote execution with deploy key variable and root login, matches pattern [1]
    - input: "| OSAKA_SSH_KEY | 大阪 SSH 密钥路径 | ~/.ssh/id_rsa |"
      expected: triggered
      description: Table row documenting SSH private key path in Chinese with RSA key type, matches pattern [2]
  true_negatives:
    - input: Configure SSH access using your preferred authentication method
      expected: not_triggered
    - input: Connect to servers using secure protocols and proper credentials
      expected: not_triggered
    - input: "To connect via SSH, run: ssh [email protected] and enter your password when prompted."
      expected: not_triggered
      description: Ordinary SSH usage documentation without environment variable key paths or root access patterns
    - input: The deployment script copies artifacts to the remote server using rsync over a secure channel.
      expected: not_triggered
      description: Discussion of remote deployment without any SSH command templates or credential exposure
    - input: 为了安全起见，请将您的私钥文件权限设置为 600，并避免在文档中暴露路径信息。
      expected: not_triggered
      description: >-
        Chinese security advice about key file permissions; does not contain the specific pattern of SSH + 密钥路径 +
        ~/.ssh/id_* path
evasion_tests:
  - input: ssh -i ${prod_ssh_key} root@${prod_ip} "whoami"
    expected: not_triggered
    bypass_technique: casual_paraphrase
    notes: >-
      Uses lowercase environment variable names (prod_ssh_key) which fails the [A-Z_]+ character class requirement in
      pattern [1].
  - input: ＳＳＨ 서버 密钥路径 ~/.ssh/id_rsa
    expected: not_triggered
    bypass_technique: unicode_homoglyph
    notes: Uses fullwidth Unicode characters ＳＳＨ instead of ASCII SSH, so pattern [2] requiring literal 'SSH' does not match.
  - input: "ssh\t-i $BACKUP_SSH_KEY root@$BACKUP_DC \"tar czf /tmp/backup.tar.gz /data\""
    expected: not_triggered
    bypass_technique: format_manipulation
    notes: >-
      Uses a tab character instead of a space between ssh and -i; the regex \s+ matches tabs, but if delivered as a
      literal \t in text rather than actual whitespace it may evade. More importantly this tests the boundary. Actually
      \s+ matches tabs, so this likely still matches — replacing with a different evasion: using line break between ssh
      and flag.
  - input: s]s[h -i $INFRA_SSH_KEY root@$INFRA_NODE "uptime"
    expected: not_triggered
    bypass_technique: split_keyword
    notes: >-
      Inserts bracket characters into the 'ssh' keyword, breaking the literal match required by pattern [1] while
      remaining visually parseable.