ClawHub

Dokploy

Security checks across malware telemetry and agentic risk

Overview

This Dokploy skill matches its deployment-management purpose, but it needs review because it can expose or persist high-impact API credentials and raw application secrets.

Install only if you are comfortable giving the skill a Dokploy API key with deployment-management authority. Use the narrowest key possible, avoid running config show, treat env list and logs as potentially secret-bearing output, and manually review every deploy, environment, domain, or delete command before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation includes destructive commands such as project/application/domain deletion without warning users about irreversible effects, scope, or the need for confirmation. In an agent-assisted context, this increases the chance of accidental production deletion or misuse by prompting a user or agent to run dangerous commands without adequate friction.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Commands that change environment variables or trigger deployments can immediately alter running services, cause outages, or expose applications to broken configurations, yet the documentation presents them without service-impact warnings. In deployment tooling, these operations are especially sensitive because they can affect live infrastructure and customer-facing systems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to export and display API credentials, including use of a config show command, without warning that tokens are sensitive secrets that can leak via shell history, screenshots, logs, or shared terminals. Because the API key grants management access to deployments and applications, credential exposure could enable unauthorized administrative actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The `env list` command prints all environment variable key/value pairs directly to stdout. In a deployment-management skill, environment variables commonly contain secrets such as API keys, database passwords, and tokens, so this behavior can easily disclose credentials through terminal history, logs, or downstream tool output.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The `logs` command fetches and outputs deployment logs without any warning or filtering. Application and deployment logs frequently contain secrets, stack traces, tokens, connection strings, or personal data, so unconditional display increases the chance of accidental exposure to users, transcripts, or centralized logging systems.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script persists the Dokploy API key in plaintext to $HOME/.dokployrc, which leaves a long-lived credential on disk that may be exposed through weak file permissions, backups, shell history, endpoint compromise, or accidental sharing. In this skill context, the key grants deployment-management access, so disclosure could let an attacker modify applications, domains, or deployments through the Dokploy API.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal