Back to skill

Security audit

Portainer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Portainer control skill, but it gives an agent live infrastructure control with weak confirmation and scoping guidance.

Install only if you want an agent to control your Portainer environment. Use a least-privilege Portainer API token, prefer non-production or tightly scoped endpoints, protect ~/.clawdbot/.env, and require explicit confirmation with exact stack/container and endpoint names before stop, restart, or redeploy actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes shell-based operational capabilities but does not declare permissions or guardrails in the skill metadata. In an agent environment, undeclared shell access increases the chance of overbroad execution, weak reviewability, and accidental invocation of infrastructure-changing actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented commands can stop, restart, or redeploy production containers and stacks, but the skill text provides no explicit warning about downtime, no confirmation step, and no requirement to verify target/environment before execution. In practice, broad operational commands without friction can cause service disruption from accidental or ambiguous requests.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The integration examples map broad natural-language phrases like 'Redeploy the website' or 'Restart the Minecraft server' directly to privileged infrastructure actions. This makes unintended invocation more likely, especially in conversational contexts where the agent may over-assume intent and trigger disruptive operations.

Credential Access

High
Category
Privilege Escalation
Content
# Try to load from clawdbot .env if not set
if [[ -z "$PORTAINER_URL" || -z "$PORTAINER_API_KEY" ]]; then
    ENV_FILE="$HOME/.clawdbot/.env"
    if [[ -f "$ENV_FILE" ]]; then
        export $(grep -E "^PORTAINER_" "$ENV_FILE" | xargs)
    fi
Confidence
89% confidence
Finding
.env"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.