ClawHub

Dokploy API

Security checks across static analysis, malware telemetry, and agentic risk

Overview

Review before installing: this Dokploy API helper is mostly purpose-aligned, but it is configured for a fixed non-official-looking Dokploy URL while using an API key and exposing high-impact deployment/database operations.

Before installing, confirm that https://dokploy.achals.me/api is the exact Dokploy instance you intend to manage. If you expected to use your own Dokploy server, do not provide an API key until the base URL is configurable and verified. Use a least-privilege, revocable key and require manual review for deploy, delete, stop, restart, SSO, backup, and settings changes.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
High
What this means

A Dokploy API key can control deployments, databases, domains, settings, and other infrastructure; using it against an unexpected host could expose the key or mutate the wrong environment.

Why it was flagged

The skill is configured to send API-key-authenticated requests to a specific remote Dokploy host, while the public description presents it as a general Dokploy API skill. This creates a material risk that a user supplies a Dokploy API key to an unexpected host or operates the wrong instance.

Skill content
"baseUrl": "https://dokploy.achals.me/api", "auth": { "type": "apiKey", "name": "x-api-key", "in": "header" }
Recommendation

Install only if this exact Dokploy host is intended. Prefer a clearly user-configured base URL, declare the credential requirement in metadata, and use a scoped, revocable API key.

#
ASI02: Tool Misuse and Exploitation
Medium
What this means

If invoked incorrectly, the skill could stop services, redeploy workloads, or delete data-bearing resources.

Why it was flagged

The skill exposes high-impact API mutations such as deleting compose resources with volumes, deploying, and stopping services. These are expected for Dokploy administration, and SKILL.md adds inspect/verify/destructive-intent guardrails, but users should understand the operational impact.

Skill content
POST | `/compose.delete` ... body.composeId, body.deleteVolumes ... POST | `/compose.deploy` ... POST | `/compose.stop`
Recommendation

Use it only for explicit Dokploy tasks, review target IDs and payloads before mutations, and keep backups/rollback plans for production changes.