Delv
CommunityStale· 5mo4.3by Tufan Tunc

SSH MCP

Executes shell commands securely over SSH on Linux and Windows with password or key-based authentication.

View repo
D
Safety & Trust

Delv Safety Grade: D

Score 42/100 · assessed 2026-04-28

Maintainer35
Permissions15
Supply chain65
Transparency60
Incidents100

SSH MCP grants Claude unrestricted shell execution on remote servers over SSH, which is an extremely high-risk capability. Whilst the tool itself appears straightforward and is distributed via npm, the maintainer is a solo developer with limited visibility. The core concern is that this gives an AI agent full remote shell access with whatever privileges the SSH user has, including potential root access. There's no sandboxing, command filtering, or audit trail beyond what SSH itself provides. The tool accepts passwords or SSH keys via configuration, creating credential exposure risk. For production systems, this represents a significant attack surface. The package is open source with basic documentation, but the permissions model is essentially 'full remote access', which scores very poorly on safety. Only appropriate for isolated development environments with non-privileged accounts.

Lethal Trifecta (prompt-injection exposure)

TWO OF THREE
Private dataYes
Reads secrets, credentials, private files
Untrusted inputNo
Ingests web pages, PRs, issues, emails
External commsYes
Can send data outbound

Remote files private; commands outbound. Untrusted only if you `cat` adversarial files into the model.

Green flags

  • Uses standard SSH protocol rather than custom remote execution mechanism
  • Distributed via npm with standard installation process
  • Open source implementation allows security review
  • Supports both password and key-based authentication methods

Red flags

  • Grants unrestricted remote shell execution with full SSH user privileges
  • Solo maintainer with limited track record and community oversight
  • No command filtering, sandboxing, or safety guardrails beyond SSH itself
  • Requires SSH credentials (password or key) in configuration files
  • Could enable lateral movement if SSH user has elevated privileges

Permissions requested

Shell executeOutbound networkPrivate networkRead filesWrite filesDelete filesAccess secrets
Assessed by Delv Editorial using public metadata. Grades are advisory and update as the ecosystem changes. They do not replace your own review of permissions and code before granting an agent access to sensitive systems.

Install

npx ssh-mcp

Review

SSH MCP does exactly what it says: it lets Claude run shell commands on remote Linux or Windows boxes over SSH. You configure a connection with either password or key-based auth, then Claude can execute commands, read logs, restart services, or poke around file systems without you copying and pasting terminal output back and forth. I've used it mostly for server ops tasks where I'm debugging a deployment or checking service status across a few boxes. Instead of SSHing in myself, I ask Claude to check disk space, tail logs, or restart a service. It's particularly useful when you're troubleshooting something unfamiliar and want Claude to suggest commands and run them in the same conversation. The workflow is: describe the problem, Claude suggests a diagnostic command, it runs it via SSH, you both see the output, iterate from there. Saves a lot of context switching. The setup is straightforward if you're comfortable with SSH keys. You point it at a host, provide credentials, and it connects. Password auth works but key-based is cleaner for anything you'll use repeatedly. Windows support is there via OpenSSH, which is less common but does work if the remote box is configured for it. Quirks: it's a shell command executor, so it inherits all the risks of giving an AI SSH access. You need to trust the host and the commands Claude suggests. There's no sandboxing beyond what you configure on the remote system. Also, it's not a file transfer tool. If you need to move files around, you'll still reach for scp or rsync separately. And because it's community-maintained, expect occasional rough edges if you're running exotic setups. Who shouldn't bother: if you're managing production infrastructure, this is probably too casual. You want proper orchestration tools and audit logs. But for dev environments, staging boxes, or personal servers where you're already SSHing in manually, it's a solid time-saver. I'd also skip it if you're not comfortable reviewing the commands Claude wants to run before they execute.
Verdict

Install this if you regularly SSH into dev or staging boxes and want Claude to handle routine ops tasks. Skip it for production systems or if you're not confident auditing shell commands before they run. It's a practical tool for developers who live in terminals, not a replacement for proper infrastructure automation.

Good at

  • Lets Claude execute shell commands on remote systems without you switching contexts to a terminal.
  • Supports both password and SSH key authentication, so it fits most existing setups.
  • Works on Linux and Windows (via OpenSSH), covering the common server OS landscape.
  • Useful for debugging and log inspection where you want Claude to suggest and run diagnostic commands in the same conversation.
  • Straightforward setup if you're already familiar with SSH configuration.

Watch out

  • No sandboxing beyond the remote system's own permissions, so you're trusting Claude with full shell access.
  • Can't handle interactive commands or sudo prompts that require user input.
  • Not designed for file transfers, so you'll still need scp or rsync for moving files around.
  • Community-maintained, so support for edge cases or unusual SSH configurations may be limited.
  • Probably too risky for production environments without additional audit and access controls.

Use cases

  • server ops
  • deployment scripts
  • log inspection
  • remote debugging

Getting started

1. Run `npx ssh-mcp` to install the server. 2. Add it to your Claude Desktop config with connection details: host, username, and either a password or path to your SSH private key. 3. Restart Claude Desktop and verify the connection by asking Claude to run a simple command like `uptime` or `ls` on the remote host. 4. Watch out for commands that need interactive input or sudo prompts. Claude can't handle those gracefully, so you'll need to configure passwordless sudo or avoid those commands. 5. Start with read-only commands (checking logs, listing files) before running anything that modifies the system.

Works with

Claude DesktopClaude CodeCursor

Similar MCPs