Skillv1.0.0

ClawScan security

Docker Essentials · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 11, 2026, 8:33 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only Docker reference that is internally consistent with its stated purpose; it contains no install steps or requests for secrets, though there's a small metadata inconsistency about the required binary.
Guidance: This appears to be a benign, read-only Docker cheat sheet. Things to consider before installing: (1) SKILL.md indicates the Docker CLI is required — ensure you have a trusted docker installation. (2) Examples include mounting host paths and passing environment variables (including DB passwords) — avoid copying examples with secrets or mounting sensitive host directories into containers. (3) The skill is instruction-only and makes no secret requests, but if you allow an autonomous agent to execute Docker commands on your host, those commands will have real effects on your system; only permit execution if you trust the agent and the images you run. (4) The minor metadata mismatch about required binaries is likely harmless but you may want the publisher to correct it for clarity.

Purpose & Capability: noteThe skill's name and content are a straightforward Docker command reference — that purpose matches the content. Minor inconsistency: registry metadata reported no required binaries, but the SKILL.md embedded metadata lists 'docker' under required bins. Requiring the Docker CLI is expected for this skill; the mismatch is likely a metadata packaging oversight.
Instruction Scope: okSKILL.md contains only example Docker and docker-compose commands and workflows (run, build, exec, volumes, networks, pruning, etc.). It does not instruct the agent to read host files, search system state, access external endpoints, or exfiltrate secrets. Examples do show mounting host paths and passing env vars (e.g., POSTGRES_PASSWORD=secret) — normal for examples but potentially risky if copied verbatim.
Install Mechanism: okNo install spec or code files — instruction-only. That is low risk because nothing is downloaded or written by the skill itself.
Credentials: okThe skill declares no required environment variables or credentials. The SKILL.md uses example environment variables in commands but does not request access to any secrets or unrelated services; this is proportionate.
Persistence & Privilege: okalways:false and user-invocable:true (defaults). The skill does not request permanent presence or elevated platform privileges and does not modify other skills or system-wide agent settings.