Docker Socket Proxy
Security checks across static analysis, malware telemetry, and agentic risk
Overview
No hidden or malicious behavior is evident, but this is a powerful Docker administration skill that should only be used with a tightly scoped docker-socket-proxy.
Install this only if you have a docker-socket-proxy configured. Point DOCKER_PROXY_URL or DOCKER_HOST at the proxy, not a raw Docker daemon, and enable only the API sections you actually need. Avoid enabling exec or prune unless necessary, and confirm disruptive actions before running them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the proxy allows these endpoints, the agent could disrupt running workloads or delete unused Docker resources.
The skill exposes mutating and potentially destructive Docker operations. They are disclosed and aligned with the Docker-management purpose, but they need careful user/proxy scoping.
`start`, `stop`, `restart`, `kill`, `pause`, `unpause`, `rename`, `exec`, `prune-containers` ... `prune-volumes`
Enable only the docker-socket-proxy sections you need and require explicit approval for exec, kill, restart, and prune operations.
Pointing this skill at a raw Docker daemon or overly permissive proxy could give the agent broad control over containers and potentially the host.
The artifacts acknowledge Docker API access can be host-root-equivalent and the helper relies on the configured endpoint being the intended proxy.
Exposing the raw Docker socket to an agent is equivalent to giving it root access to the host ... If neither is set, defaults to `http://localhost:2375`.
Do not expose the raw Docker daemon to this skill. Use docker-socket-proxy on a private network and enable only the minimum API sections needed.
Commands run through exec could change container state or read data available inside the container.
The skill includes a documented Docker exec mode, which can run commands inside containers. This is purpose-aligned but inherently powerful.
`exec <name> <cmd> [args...]` | Run command in container
Disable Docker exec at the proxy unless needed, and require user confirmation before running commands inside containers.
Secrets or misleading instructions in logs/env output could be exposed to the conversation or over-trusted by the agent.
The helper can place container environment variables and logs into the agent context. These may include sensitive or untrusted text.
`Env: .Config.Env` ... `/containers/${id}/logs?stdout=1&stderr=1&tail=${tail}`Treat container logs and environment values as data, not instructions, and avoid broad log/inspect requests for sensitive workloads.
Installation or invocation may fail unexpectedly if curl or jq is missing.
The skill declares runtime dependencies in SKILL.md, while the registry summary lists no required binaries. This is a packaging/metadata mismatch, not evidence of malicious behavior.
metadata: {"openclaw":{"requires":{"bins":["curl","jq"]}}}Ensure curl and jq are installed, and update registry metadata so users see the dependency requirements before installation.