← Back to Skills Marketplace
Wish Ssh Code Review
by
Kevin Anderson
· GitHub ↗
· v2.3.1
· MIT-0
154
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install wish-ssh-code-review
Description
Reviews Wish SSH server code for proper middleware, session handling, and security patterns. Use when reviewing SSH server code using charmbracelet/wish.
README (SKILL.md)
Wish SSH Code Review
Quick Reference
| Issue Type | Reference |
|---|---|
| Server setup, middleware | references/server.md |
| Session handling, security | references/sessions.md |
Review gates
Run these in order when producing a written review. Do not claim a defect in a later step until the Pass when for the current step is satisfied for the code under review.
- Locate Wish entry points — Pass when: you have at least one repo path per server surface that calls
wish.NewServer,wish.WithMiddleware, registersbubbletea.Middleware, or defines the top-levelssh.Handlerchain (list the paths explicitly). - Capture server-setup evidence — Pass when: for each path from step 1, you have the actual
wish.WithHostKey*/ host-key configuration and the full middleware list in source order as written (not recalled from memory). If graceful shutdown exists, note the file(s) whereListenAndServeandShutdownrun. - Capture session / TUI evidence — Pass when: for each
teaHandler(or equivalent), you have noted from source whethers.Pty()is checked before using window size, and whether per-session renderers (bubbletea.MakeRenderer) are used where Lipgloss styles apply. - Write findings — Pass when: each finding uses
[FILE:LINE] ISSUE_TITLE(line range allowed where needed) and points to the relevant row in Quick Reference (or the matching section inreferences/).
Review Checklist
Use alongside Review gates; for a written review, complete the gates first so each item below can be tied to cited source.
- Host keys are loaded from file or generated securely
- Middleware order is correct (logging first, auth early)
- Session context is used for per-connection state
- Graceful shutdown handles active sessions
- PTY requests are handled for terminal apps
- Connection limits prevent resource exhaustion
- Timeout middleware prevents hung connections
- BubbleTea middleware correctly configured
Critical Patterns
Server Setup
// GOOD - complete server setup
s, err := wish.NewServer(
wish.WithAddress(fmt.Sprintf("%s:%d", host, port)),
wish.WithHostKeyPath(".ssh/id_ed25519"),
wish.WithMiddleware(
logging.Middleware(), // first: log all connections
activeterm.Middleware(), // handle terminal sizing
bubbletea.Middleware(teaHandler),
),
)
if err != nil {
return fmt.Errorf("creating server: %w", err)
}
Graceful Shutdown
// BAD - abrupt shutdown
log.Fatal(s.ListenAndServe())
// GOOD - graceful shutdown
done := make(chan os.Signal, 1)
signal.Notify(done, os.Interrupt, syscall.SIGTERM)
go func() {
if err := s.ListenAndServe(); err != nil && !errors.Is(err, ssh.ErrServerClosed) {
log.Error("server error", "error", err)
}
}()
\x3C-done
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
if err := s.Shutdown(ctx); err != nil {
log.Error("shutdown error", "error", err)
}
BubbleTea Handler
func teaHandler(s ssh.Session) (tea.Model, []tea.ProgramOption) {
pty, _, _ := s.Pty()
model := NewModel(pty.Window.Width, pty.Window.Height)
return model, []tea.ProgramOption{
tea.WithAltScreen(),
tea.WithMouseCellMotion(),
}
}
When to Load References
- Reviewing server initialization → server.md
- Reviewing authentication, session state → sessions.md
Review Questions
- Are host keys handled securely?
- Is middleware order correct?
- Is graceful shutdown implemented?
- Are PTY window sizes passed to the TUI?
- Are connection timeouts configured?
Usage Guidance
This skill is instruction-only and appears coherent for code review of charmbracelet/wish-based SSH servers. Before installing/using it: 1) Understand the agent will read repository source files (so do not expose repos that contain private keys, passwords, or other secrets you don't want inspected). 2) The skill's source and homepage are unknown — that increases supply-chain uncertainty even though the content is benign. 3) It will not install software or ask for credentials, and it does not request persistent privileges. If you plan to run automated reviews, limit the agent's repository access to only the code you want reviewed and remove any real secrets from the repository.
Capability Analysis
Type: OpenClaw Skill
Name: wish-ssh-code-review
Version: 2.3.1
The skill bundle is a legitimate tool designed to guide an AI agent through a security-focused code review of SSH servers built with the 'charmbracelet/wish' library. The instructions in SKILL.md and the reference files (references/server.md, references/sessions.md) promote defensive best practices such as proper host key management, middleware ordering, and session handling. No indicators of malicious intent, data exfiltration, or prompt injection were found.
Capability Assessment
Purpose & Capability
Name/description (Wish SSH code review) match the SKILL.md: it instructs the agent to locate wish.NewServer entry points, capture middleware and session evidence, and produce findings tied to source file locations. No unrelated binaries, env vars, or installs are requested.
Instruction Scope
The runtime instructions are precise and scoped to reading repository source and producing annotated findings (locate entry points, capture middleware list, check PTY usage, graceful shutdown, etc.). These steps legitimately require reading code paths in the repo. The instructions do not instruct the agent to read unrelated system files, access secrets, or transmit data to external endpoints.
Install Mechanism
No install spec and no code files to execute — lowest-risk model (instruction-only). Nothing is downloaded or written to disk by the skill itself.
Credentials
The skill requests no environment variables, credentials, or config paths. The included reference samples mention handling env values (e.g., os.Getenv) only as review topics (to check if reviewed code uses envs insecurely) — that is appropriate and expected.
Persistence & Privilege
always is false and the skill does not request persistent installation or system-wide changes. It does not modify other skills or agent configuration.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install wish-ssh-code-review - After installation, invoke the skill by name or use
/wish-ssh-code-review - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.3.1
- Introduced a sequential "Review gates" process for structured code review, with explicit pass conditions for each step.
- Updated the review process to require explicit source citations and evidence gathering before making findings.
- Clarified how to tie each checklist item and finding to Quick Reference or documentation.
- Reworded instructions for preparing findings, including formatting and linking to reference material.
- No functional changes to code review patterns or checklist content.
v2.3.0
Version 2.3.0 updates Wish SSH code review skill documentation and guidance.
- Adds SKILL.md with clear review checklist for security, session handling, and middleware order.
- Provides example patterns for proper server setup, graceful shutdown, and BubbleTea handler integration.
- Includes practical reference links and concise review questions for quick guidance.
- Emphasizes proper use of context, secure host key handling, and middleware sequencing.
Metadata
Frequently Asked Questions
What is Wish Ssh Code Review?
Reviews Wish SSH server code for proper middleware, session handling, and security patterns. Use when reviewing SSH server code using charmbracelet/wish. It is an AI Agent Skill for Claude Code / OpenClaw, with 154 downloads so far.
How do I install Wish Ssh Code Review?
Run "/install wish-ssh-code-review" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Wish Ssh Code Review free?
Yes, Wish Ssh Code Review is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Wish Ssh Code Review support?
Wish Ssh Code Review is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Wish Ssh Code Review?
It is built and maintained by Kevin Anderson (@anderskev); the current version is v2.3.1.
More Skills