brew package intelligence

openssh

Automic Vault tracks openssh because plain text ssh private keys matters when AI agents run command-line tools on macOS.

Read docs Run scanner

overview

What Automic Vault knows about openssh

OpenBSD freely-licensed SSH connectivity tools

Homepage

Not present in the local metadata.

Commands and aliases

No executable aliases were found in the local package database.

radioisotope

Plain Text SSH Private Keys

`ssh` reads private keys from ~/.ssh and IdentityFile paths. Unencrypted private keys are reusable credentials that local agents can read directly. Automic Vault currently detects this exposure but does not yet provide a migration or package modification for OpenSSH.

Local README excerpt

OpenSSH Radioisotope Detector

This detector reports unencrypted SSH private keys in ~/.ssh and explicit IdentityFile paths from ~/.ssh/config.

It does not currently migrate keys, wrap ssh, or manage ssh-agent state.

Source: data/radioisotopes/openssh/README.md

Coverage source

https://formulae.brew.sh/formula/openssh

Caveats

We report unencrypted private key files only.
Encrypted private keys and ssh-agent socket state are not reported.
We inspect ~/.ssh and IdentityFile paths declared in ~/.ssh/config.

install metadata

Resolver facts

Package key	brew:openssh
Last updated	2026-04-02T10:20:39Z
Pulse	updated

source trail

Generated from repository data

This page is regenerated by scripts/generate-pkg-pages.py. Deployments refuse to publish if www/pkg/ is stale relative to local package data.

Used sources

Nucleus package database
local isotope README
radioisotope security manifest