Security audit

Docker Container Cleaner

Security checks across malware telemetry and agentic risk

Overview

This skill is a Docker cleanup tool, but it can delete Docker resources without the confirmation its documentation promises.

Review carefully before installing. Use only on non-production Docker hosts or after backups, run --dry-run first, and do not rely on the documented interactive confirmation unless the implementation is fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill explicitly instructs users to run a Python CLI that invokes Docker cleanup operations, which is a shell-capable action with potentially destructive effects, yet the manifest declares no permissions. This creates a transparency and governance gap: consumers or policy engines may treat the skill as lower risk than it is, despite it being able to delete containers, images, volumes, and networks or run forced prune operations.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The CLI advertises selective image cleanup semantics, but the implementation maps --unused to docker image prune --all, which removes all unused images. This discrepancy can cause operators or automation to delete more data than intended, creating integrity and availability risk through destructive misoperation.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The status logic labels all volumes and networks as unused without actually checking usage, so dry-run and summary output can falsely assure users that resources are safe to remove. In a cleanup tool, this materially increases the chance of deleting active persistent data or network configuration, making the misleading behavior security-relevant.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The code always appends --force for prune operations, even when the user did not request force, yes, or non-interactive behavior. That makes destructive cleanup non-interactive by default and contradicts the CLI's safety expectations, increasing the risk of accidental deletion of containers, images, volumes, or networks in privileged Docker environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal