ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dockerfile Builder

v3.0.0

Generate and lint Dockerfiles for common languages and frameworks. Use when creating container configs.

0· 315·0 current·0 all-time
byBytesAgain2@ckchzh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included script and commands (create, lint, optimize, template, scan, list). No unrelated binaries, env vars, or external services are requested.
Instruction Scope
SKILL.md instructs the agent to run the bundled shell script and to store data under ~/.local/share/dockerfile-builder. The script reads files supplied by the user (lint/scan/optimize) which is expected for a linter/scan tool, but that means it will examine any paths the agent is asked to scan (including files containing secrets) and echo warnings. The script also has minor robustness bugs (unquoted variable usage and a literal '$2' in some echo strings) which can affect how filenames with spaces or special characters are handled.
Install Mechanism
No install spec; this is instruction-only with a bundled script. Nothing is downloaded or extracted from external URLs during install.
Credentials
No environment variables, credentials, or config paths are requested. The single local data directory created (~/.local/share/dockerfile-builder) is proportional to the stated purpose.
Persistence & Privilege
always:false and no modifications to other skills or system-wide settings. The script creates only its own data directory in the user's home directory.
Assessment
This skill appears to do what it claims and has no network or credential access. Before installing/using it, be aware that: (1) the script will read any file you ask it to scan/lint — do not point it at sensitive system files or files containing secrets unless you intend to analyze them; (2) the shell script uses unquoted variables and has small bugs (e.g., literal '$2' output), so avoid passing untrusted or specially crafted filenames (filenames with spaces or strange characters) to the commands; and (3) while no external exfiltration is present in the bundle, always audit any future updates or similarly named skills before trusting them.

Like a lobster shell, security has layers — review code before you run it.

latestvk97emcwsx0c05fmvmhd4nwaqm9837bqpproductivityvk97a0z679afg24c4j9yfmttjkd82r9m3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments