Back to skill
Skillv1.0.0
ClawScan security
docker-remote · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 3:00 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (remote Docker Compose management over SSH) matches its instructions and files; nothing requests unrelated credentials or installs, but the docs encourage use of local SSH keys/paths which requires care.
- Guidance
- This skill appears to do what it claims (manage Docker Compose over SSH). Before installing or using it: 1) Do not store private SSH keys or other secrets in shared config files (deploy-apps.json) or include absolute paths to private keys unless you intend the agent to access them. 2) Prefer using dedicated deployment keys with limited scope, SSH agent forwarding, or ephemeral keys rather than your personal ~/.ssh keys. 3) Restrict the SSH user to minimal privileges (avoid root when possible) and audit Docker socket access on remote hosts. 4) Test the skill in a non-production environment first to confirm it only reads the intended config and does not access unexpected local files. If you need the agent to use an SSH key, pass it via a secure mechanism under your control rather than embedding it in skill configs.
Review Dimensions
- Purpose & Capability
- okName, description, and provided actions (up, down, logs, exec, update, etc.) align with the included SKILL.md and example configs. No unrelated binaries, environment variables, or external services are requested.
- Instruction Scope
- noteInstructions stay within remote Docker/SSH management. The SKILL.md explicitly states the Agent will "automatically read" deploy-apps.json to resolve host aliases and SSH credentials; parameters and examples also reference key_path and absolute private-key locations (e.g., /Users/admin/.ssh/deploy_key). That implies the Agent may be directed to access local key files or use agent forwarding — expected for SSH-based management, but sensitive. The guidance about never exposing .env files and avoiding printing secrets is good, but callers must avoid giving the agent access to private keys or secrets unless intended.
- Install Mechanism
- okInstruction-only skill with no install steps and no code files to execute — lowest installation risk.
- Credentials
- noteNo required environment variables or credentials are declared, which is proportionate. However parameters and examples permit specifying key_path and the deploy configuration can contain SSH-related entries; those are effectively credentials (private keys or pointers to them). The skill does not require unrelated secrets, but users should be careful not to place private keys or sensitive secrets in the config files or expose them to the Agent.
- Persistence & Privilege
- okalways is false, no install writing to disk, and the skill does not request changes to other skills or system-wide settings. The skill can be invoked by the model (default), which is normal for skills.