Back to skill

Security audit

Docker Health Monitor

Security checks across malware telemetry and agentic risk

Overview

This Docker health skill is mostly coherent, but its default health report can pull images and change Docker image state while presenting the check as advisory monitoring.

Review before installing, especially on production or remote Docker contexts. Use only `--status`, `--resources`, or `--restarts` if you want local read-only checks; avoid the default `--all` and `--images` unless you accept registry network access and possible Docker image cache changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script is presented as a monitoring/health-check utility, but `check_images` runs `docker pull`, which can modify the local Docker image cache and potentially change what image data is stored locally. In an agent context, a user asking for a passive health report would not reasonably expect a state-changing network operation, making this a real safety issue due to side effects and unexpected environment mutation.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The comment says the code will 'just get the manifest, don't pull layers,' but the implementation actually executes `docker pull`. This mismatch is dangerous because reviewers and users may trust the comment and approve execution under the false assumption that the check is read-only, when it can perform network access and mutate local Docker state.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The notes explicitly describe access to the Docker socket, remote Docker contexts, and registry/network checks without clearly warning that these operations expose sensitive system metadata and can affect highly privileged infrastructure. Because Docker socket access is effectively root-equivalent on many systems and remote contexts may target production hosts, insufficient disclosure increases the chance of unsafe use in sensitive environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The image check performs an external registry/network operation without clear warning in the interface beyond a generic health-monitor description. In many environments, unexpected outbound access can leak what images are in use, trigger audit events, fail in restricted networks, or violate the user's expectation that monitoring is local-only.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.