Back to skill
Skillv1.0.0
ClawScan security
Docker Socket Proxy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 8:00 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose of talking to a docker-socket-proxy and do not request unrelated credentials or install arbitrary third‑party code, but review proxy configuration and the included script before use.
- Guidance
- This skill appears to do what it says: it talks only to a docker-socket-proxy and requires curl and jq. Before installing, verify the proxy is configured with the minimum API sections you need (avoid enabling EXEC, SECRETS, SWARM, IMAGES, etc., unless strictly necessary). Review the included scripts yourself (run-docker.sh) and prefer running the proxy on a trusted host and network. Note the registry metadata omitted required binaries (curl/jq) and the skill source/homepage are listed as unknown — if provenance matters for you, request a canonical upstream or author confirmation. If you allow autonomous agent use, consider limiting the agent's permissions or requiring manual approval for operations that run commands inside containers or list secrets.
Review Dimensions
- Purpose & Capability
- noteThe skill claims to manage a Docker host via tecnativa/docker-socket-proxy and the script implements calls to the Docker REST API (containers, images, networks, volumes, swarm, secrets, exec, etc.). This aligns with the description. Minor inconsistency: the registry metadata listed no required binaries, while the SKILL.md metadata and README both require curl and jq — these are reasonable for the stated purpose but the metadata mismatch should be noted.
- Instruction Scope
- noteRuntime instructions tell the agent to run the provided shell script which issues HTTP requests to the proxy only (no other external endpoints) and does not read arbitrary host files. However, several modes (notably exec and Swarm secrets listing) allow the agent to run commands inside containers or view sensitive Swarm secrets if the proxy has those API sections enabled — this is expected functionality but increases risk if the proxy is over-privileged.
- Install Mechanism
- okThere is no install spec that downloads or writes code to disk; this is an instruction-only skill with an included shell script. No remote archive downloads or third‑party install steps are present.
- Credentials
- noteThe script uses DOCKER_PROXY_URL and DOCKER_HOST to locate the proxy (appropriate). It does not request credentials or other unrelated environment variables. Be aware that the Docker API surface includes sensitive items (secrets, swarm configs, the ability to exec into containers) — access to those depends solely on which sections are enabled in the proxy, not on the skill itself.
- Persistence & Privilege
- okThe skill is not always-enabled, does not request elevated platform privileges, and does not attempt to modify other skills or system-wide agent settings. Autonomous model invocation is allowed by default (normal for skills) but is not combined with any hidden persistence or elevated privileges in the package.