← 返回 Skills 市场

Wish Ssh Code Review

Name: Wish Ssh Code Review
Author: anderskev

作者 Kevin Anderson · GitHub ↗ · v2.3.1 · MIT-0

cross-platform ✓ 安全检测通过

154

总下载

当前安装

版本数

在 OpenClaw 中安装

/install wish-ssh-code-review

功能描述

Reviews Wish SSH server code for proper middleware, session handling, and security patterns. Use when reviewing SSH server code using charmbracelet/wish.

使用说明 (SKILL.md)

Wish SSH Code Review

Quick Reference

Issue Type	Reference
Server setup, middleware	references/server.md
Session handling, security	references/sessions.md

Review gates

Run these in order when producing a written review. Do not claim a defect in a later step until the Pass when for the current step is satisfied for the code under review.

Locate Wish entry points — Pass when: you have at least one repo path per server surface that calls wish.NewServer, wish.WithMiddleware, registers bubbletea.Middleware, or defines the top-level ssh.Handler chain (list the paths explicitly).
Capture server-setup evidence — Pass when: for each path from step 1, you have the actual wish.WithHostKey* / host-key configuration and the full middleware list in source order as written (not recalled from memory). If graceful shutdown exists, note the file(s) where ListenAndServe and Shutdown run.
Capture session / TUI evidence — Pass when: for each teaHandler (or equivalent), you have noted from source whether s.Pty() is checked before using window size, and whether per-session renderers (bubbletea.MakeRenderer) are used where Lipgloss styles apply.
Write findings — Pass when: each finding uses [FILE:LINE] ISSUE_TITLE (line range allowed where needed) and points to the relevant row in Quick Reference (or the matching section in references/).

Review Checklist

Use alongside Review gates; for a written review, complete the gates first so each item below can be tied to cited source.

Host keys are loaded from file or generated securely
Middleware order is correct (logging first, auth early)
Session context is used for per-connection state
Graceful shutdown handles active sessions
PTY requests are handled for terminal apps
Connection limits prevent resource exhaustion
Timeout middleware prevents hung connections
BubbleTea middleware correctly configured

Critical Patterns

Server Setup

// GOOD - complete server setup
s, err := wish.NewServer(
    wish.WithAddress(fmt.Sprintf("%s:%d", host, port)),
    wish.WithHostKeyPath(".ssh/id_ed25519"),
    wish.WithMiddleware(
        logging.Middleware(),       // first: log all connections
        activeterm.Middleware(),    // handle terminal sizing
        bubbletea.Middleware(teaHandler),
    ),
)
if err != nil {
    return fmt.Errorf("creating server: %w", err)
}

Graceful Shutdown

// BAD - abrupt shutdown
log.Fatal(s.ListenAndServe())

// GOOD - graceful shutdown
done := make(chan os.Signal, 1)
signal.Notify(done, os.Interrupt, syscall.SIGTERM)

go func() {
    if err := s.ListenAndServe(); err != nil && !errors.Is(err, ssh.ErrServerClosed) {
        log.Error("server error", "error", err)
    }
}()

\x3C-done
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
if err := s.Shutdown(ctx); err != nil {
    log.Error("shutdown error", "error", err)
}

BubbleTea Handler

func teaHandler(s ssh.Session) (tea.Model, []tea.ProgramOption) {
    pty, _, _ := s.Pty()

    model := NewModel(pty.Window.Width, pty.Window.Height)

    return model, []tea.ProgramOption{
        tea.WithAltScreen(),
        tea.WithMouseCellMotion(),
    }
}

When to Load References

Reviewing server initialization → server.md
Reviewing authentication, session state → sessions.md

Review Questions

Are host keys handled securely?
Is middleware order correct?
Is graceful shutdown implemented?
Are PTY window sizes passed to the TUI?
Are connection timeouts configured?

安全使用建议

This skill is instruction-only and appears coherent for code review of charmbracelet/wish-based SSH servers. Before installing/using it: 1) Understand the agent will read repository source files (so do not expose repos that contain private keys, passwords, or other secrets you don't want inspected). 2) The skill's source and homepage are unknown — that increases supply-chain uncertainty even though the content is benign. 3) It will not install software or ask for credentials, and it does not request persistent privileges. If you plan to run automated reviews, limit the agent's repository access to only the code you want reviewed and remove any real secrets from the repository.

功能分析

Type: OpenClaw Skill Name: wish-ssh-code-review Version: 2.3.1 The skill bundle is a legitimate tool designed to guide an AI agent through a security-focused code review of SSH servers built with the 'charmbracelet/wish' library. The instructions in SKILL.md and the reference files (references/server.md, references/sessions.md) promote defensive best practices such as proper host key management, middleware ordering, and session handling. No indicators of malicious intent, data exfiltration, or prompt injection were found.

能力评估

✓ Purpose & Capability

Name/description (Wish SSH code review) match the SKILL.md: it instructs the agent to locate wish.NewServer entry points, capture middleware and session evidence, and produce findings tied to source file locations. No unrelated binaries, env vars, or installs are requested.

✓ Instruction Scope

The runtime instructions are precise and scoped to reading repository source and producing annotated findings (locate entry points, capture middleware list, check PTY usage, graceful shutdown, etc.). These steps legitimately require reading code paths in the repo. The instructions do not instruct the agent to read unrelated system files, access secrets, or transmit data to external endpoints.

✓ Install Mechanism

No install spec and no code files to execute — lowest-risk model (instruction-only). Nothing is downloaded or written to disk by the skill itself.

✓ Credentials

The skill requests no environment variables, credentials, or config paths. The included reference samples mention handling env values (e.g., os.Getenv) only as review topics (to check if reviewed code uses envs insecurely) — that is appropriate and expected.

✓ Persistence & Privilege

always is false and the skill does not request persistent installation or system-wide changes. It does not modify other skills or agent configuration.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install wish-ssh-code-review
安装完成后，直接呼叫该 Skill 的名称或使用 /wish-ssh-code-review 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v2.3.1

- Introduced a sequential "Review gates" process for structured code review, with explicit pass conditions for each step. - Updated the review process to require explicit source citations and evidence gathering before making findings. - Clarified how to tie each checklist item and finding to Quick Reference or documentation. - Reworded instructions for preparing findings, including formatting and linking to reference material. - No functional changes to code review patterns or checklist content.

v2.3.0

Version 2.3.0 updates Wish SSH code review skill documentation and guidance. - Adds SKILL.md with clear review checklist for security, session handling, and middleware order. - Provides example patterns for proper server setup, graceful shutdown, and BubbleTea handler integration. - Includes practical reference links and concise review questions for quick guidance. - Emphasizes proper use of context, secure host key handling, and middleware sequencing.

元数据

Slug wish-ssh-code-review

版本 2.3.1

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 2

常见问题