Security audit

Docker Manager

Security checks across malware telemetry and agentic risk

Overview

This Docker skill mostly performs simple container listing, but its metadata mixes in unrelated financial referral links and its instructions advertise high-impact Docker cleanup actions without clear safety boundaries.

Install only if you are comfortable with a skill that can inspect Docker container names and whose package metadata contains unrelated financial referral links. Do not rely on its advertised cleanup, pruning, or monitoring features without reviewing the code first, and avoid running destructive Docker operations unless you have explicit backups, filters, and confirmation controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: #!/usr/bin/env python3 import json, subprocess, sys r = subprocess.run(["docker","ps","--format","{{.Names}}"], capture_output=True, text=True) print(json.dumps({"containers": r.stdout.strip().split("\n") if r.stdout.strip() else []}))
Confidence: 96% confidence
Finding: r = subprocess.run(["docker","ps","--format","{{.Names}}"], capture_output=True, text=True)

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: This skill inspects the local Docker environment despite no stated purpose justifying host introspection. In agent environments, enumerating running containers can reveal internal service names, workloads, and deployment structure that assist reconnaissance or later attacks.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The manifest description for a Docker management skill embeds unrelated crypto and stock referral links, which is inconsistent with the stated functionality and indicates likely promotional or social-engineering content. Users may be tricked into visiting external financial links under the trust of an infrastructure tool, creating phishing, fraud, or reputation risks even though this file alone does not execute code.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill advertises destructive Docker operations such as image pruning, cleanup, bulk operations across hosts, and auto-cleanup without any warning about data loss, service disruption, or the scope of removal. In an agent-operated context, this increases the chance that a user or automation will run commands like prune with insufficient review, potentially deleting images, containers, logs, or other resources needed for production workloads.

Natural-Language Policy Violations

Low

Confidence: 68% confidence
Finding: The description includes a hardcoded Chinese-language referral URL segment in a skill whose declared purpose is Docker management, suggesting locale-targeted promotion without user choice or relevance to the feature set. While lower severity than direct code abuse, this can signal deceptive packaging and a willingness to steer users toward specific third-party destinations without consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal