Security audit

Docker Health Monitor

Security checks across malware telemetry and agentic risk

Overview

This Docker health skill is mostly coherent, but its default health report can pull images and change Docker image state while presenting the check as advisory monitoring.

Review before installing, especially on production or remote Docker contexts. Use only `--status`, `--resources`, or `--restarts` if you want local read-only checks; avoid the default `--all` and `--images` unless you accept registry network access and possible Docker image cache changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script is presented as a monitoring/health-check utility, but `check_images` runs `docker pull`, which can modify the local Docker image cache and potentially change what image data is stored locally. In an agent context, a user asking for a passive health report would not reasonably expect a state-changing network operation, making this a real safety issue due to side effects and unexpected environment mutation.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The comment says the code will 'just get the manifest, don't pull layers,' but the implementation actually executes `docker pull`. This mismatch is dangerous because reviewers and users may trust the comment and approve execution under the false assumption that the check is read-only, when it can perform network access and mutate local Docker state.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The notes explicitly describe access to the Docker socket, remote Docker contexts, and registry/network checks without clearly warning that these operations expose sensitive system metadata and can affect highly privileged infrastructure. Because Docker socket access is effectively root-equivalent on many systems and remote contexts may target production hosts, insufficient disclosure increases the chance of unsafe use in sensitive environments.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The image check performs an external registry/network operation without clear warning in the interface beyond a generic health-monitor description. In many environments, unexpected outbound access can leak what images are in use, trigger audit events, fail in restricted networks, or violate the user's expectation that monitoring is local-only.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.