Back to skill
Skillv1.0.1
ClawScan security
Dokploy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 10, 2026, 2:14 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's scripts match its stated purpose (managing a Dokploy API) but the package/registry metadata does not declare the environment variables and binaries the scripts actually require, creating an incoherence you should understand before installing.
- Guidance
- The scripts appear to do what the description says, but the published metadata omitted key requirements. Before installing: 1) Verify you have curl and jq installed. 2) Only provide DOKPLOY_API_KEY to trusted Dokploy instances (DOKPLOY_API_URL) because the CLI will send that key to whatever URL you set. 3) Be aware the skill will write ~/.dokployrc containing your API URL and key in plain text — if you prefer, avoid using dokploy-config set and instead export env vars per session. 4) If the registry page doesn't list required env vars or binaries, ask the publisher to fix metadata or inspect the scripts yourself (they are included) to confirm no unexpected behavior. If you cannot verify the upstream source of this skill, consider withholding the API key or running the scripts in an isolated environment first.
Review Dimensions
- Purpose & Capability
- noteThe code (bash CLI scripts) implements project, app, domain, and deployment management against a Dokploy REST API — this matches the skill name/description. The scripts use curl/jq to call endpoints documented in SKILL.md and perform expected actions.
- Instruction Scope
- okSKILL.md and the scripts only instruct the agent/user to call the Dokploy API, read/write a single config file (~/.dokployrc), and use curl/jq. They do not attempt to read unrelated system secrets or post data to unexpected external services beyond the configured DOKPLOY_API_URL.
- Install Mechanism
- okThere is no install spec or remote download. The skill is instruction-only with bundled shell scripts. No external archives, package installs, or URL downloads are performed during install.
- Credentials
- concernRegistry metadata at the top claims no required env vars or binaries, but .clawdhub/package.json and SKILL.md/scripts require DOKPLOY_API_URL, DOKPLOY_API_KEY and binaries curl and jq. This mismatch is an incoherence: the scripts will fail or prompt for secrets if those env vars/binaries are not present, and the registry did not advertise that requirement.
- Persistence & Privilege
- noteThe skill does not request elevated privileges or 'always' inclusion. It does write a per-user config file (~/.dokployrc) to store the API URL and key, which is reasonable for a CLI but worth noting because it persists an API key in the user's home directory (in plain text).