ClawHub

docker-remote

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Docker-over-SSH helper, but it gives an agent broad remote command and service-control power without enough built-in scoping or confirmation guidance.

Install only if you want an agent to administer Docker Compose servers over SSH. Use a dedicated non-root deployment user, restrict SSH keys to approved hosts and directories, review deploy-apps.json before each use, and require explicit human confirmation for down, restart, update, exec, and any custom command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The documented `command` parameter for `docker_compose_update` allows arbitrary shell execution on the remote host, which exceeds the stated Docker Compose management scope and effectively turns the skill into a generic remote command runner. In a high-privilege SSH context, this can enable arbitrary code execution, persistence, data exfiltration, or destructive system changes if the parameter is influenced by untrusted input or misunderstood by users.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The `deploy-apps.json` configuration includes per-app `update-command` values that the agent automatically reads and executes, creating an indirect arbitrary command execution path on remote hosts. Because this behavior is configuration-driven and automatic, it increases the risk of malicious or tampered configuration leading to privileged remote execution beyond Docker Compose lifecycle management.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill exposes destructive remote operations such as stopping services, removing containers, networks, and volumes, but does not prominently warn users about the risk of service disruption or data loss. In a remote administration context, missing safety guidance makes accidental misuse more likely, especially when targeting production infrastructure over SSH.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation states that the agent automatically reads deployment configuration to resolve hosts, users, paths, and SSH-related mappings, but does not provide a clear privacy/security warning about trust boundaries or the sensitivity of that configuration. This can mislead users into underestimating the risk of automatic targeting, credential association, and execution against unintended remote systems if the configuration is stale, poisoned, or overly permissive.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The examples demonstrate powerful remote Docker Compose operations over SSH against arbitrary hosts and paths, including image updates, log streaming, and command execution inside containers, but provide no guardrails, allowed-target constraints, or examples of safe scoping. In an agent setting, this broad invocation pattern can normalize dangerous use and increase the chance of unauthorized deployment changes, service disruption, or remote command execution on production infrastructure.

Natural-Language Policy Violations

Low
Confidence
78% confidence
Finding
The example embeds a user-specific local SSH private key path, which leaks assumptions about local credential locations and encourages the agent or user to rely on a specific sensitive file without explicit opt-in. While not a secret itself, it can expose workstation structure, promote unsafe key handling patterns, and cause accidental use of privileged credentials in the wrong context.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly suggests using the root user for Docker commands on the remote host. In a skill designed for remote Docker administration over SSH, normalizing root access increases the chance that operators will run high-privilege commands routinely, expanding the blast radius of credential compromise or command misuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal