Portainer

Security checks across malware telemetry and agentic risk

Overview

This is a real Portainer management skill, but it gives broad Docker admin control with weak transport security and little built-in safety gating.

Install only if you intentionally want an agent to administer Portainer and Docker. Use a least-privilege Portainer token, avoid production targets unless you add confirmations or allowlists, enable real TLS certificate verification, and treat raw Docker API, deploy, update, prune, and remove operations as actions that can interrupt services or delete resources.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Tainted flow: 'url' from os.environ.get (line 131, credential/environment) → requests.get (network output)

Critical

Category: Data Flow
Content: url = f"{PORTAINER_API_URL}/endpoints/{environment_id}/docker{path}" if method.upper() == "GET": response = requests.get(url, headers=headers, params=payload, timeout=10, verify=False) elif method.upper() == "POST": response = requests.post(url, headers=headers, json=payload, timeout=10, verify=False) elif method.upper() == "DELETE":
Confidence: 86% confidence
Finding: response = requests.get(url, headers=headers, params=payload, timeout=10, verify=False)

Tainted flow: 'url' from os.environ.get (line 131, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: if method.upper() == "GET": response = requests.get(url, headers=headers, params=payload, timeout=10, verify=False) elif method.upper() == "POST": response = requests.post(url, headers=headers, json=payload, timeout=10, verify=False) elif method.upper() == "DELETE": response = requests.delete(url, headers=headers, json=payload, timeout=10, verify=False) else:
Confidence: 88% confidence
Finding: response = requests.post(url, headers=headers, json=payload, timeout=10, verify=False)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill exposes sensitive capabilities involving network access and secret handling via a Portainer API key, yet it declares no explicit permissions or safety boundaries. In a system that relies on permission metadata for review or runtime enforcement, this creates a transparency and access-control gap that can lead to over-privileged use of Docker and Portainer operations, including raw Docker API proxying.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill manifest frames the capability as Portainer environment and stack management, but the implementation includes a generic raw Docker API proxy that can perform far broader operations than users would reasonably expect. This mismatch is dangerous because it hides privileged functionality behind a less alarming description, increasing the chance of misuse or overbroad delegation.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Arbitrary Docker command execution is broader than necessary for listing environments and managing stacks, and it can be used for destructive or host-compromising actions. In a skill meant for routine orchestration tasks, this capability significantly increases blast radius and abuse potential.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The README advertises destructive actions like deploying and removing stacks and executing raw Docker commands, but it does not clearly warn about service interruption, data loss, or the blast radius of these operations. In the context of an infrastructure-management skill with broad Portainer access, this can lead users to invoke dangerous actions without understanding operational consequences.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill advertises stack deletion functionality without any warning, confirmation requirement, or caution about irreversible operational impact. In the Portainer context, deleting a stack can stop services and remove infrastructure unexpectedly, making this more dangerous because the skill is explicitly intended for live environment management.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: Stack deletion occurs immediately with no confirmation, dry-run, or policy check, making accidental or coerced destructive actions easier. In an agent skill context where actions may be triggered from natural-language requests, missing safety interlocks materially raises operational risk.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The raw Docker API executor can perform destructive operations such as deleting containers, networks, volumes, or launching privileged containers, yet the code provides no warnings, confirmations, or restrictions. In an AI-agent setting, lack of explicit safety prompts around these actions creates substantial risk of harmful execution from ambiguous or manipulated instructions.

Unpinned Dependencies

Low

Category: Supply Chain
Content: "version": "1.0.0", "description": "Manages Portainer CE environments and stacks via HTTP API.", "dependencies": { "requests": "^2.31.0", "urllib3": "^2.0.0" }, "openclaw": {
Confidence: 88% confidence
Finding: "requests": "^2.31.0"

Unpinned Dependencies

Low

Category: Supply Chain
Content: "description": "Manages Portainer CE environments and stacks via HTTP API.", "dependencies": { "requests": "^2.31.0", "urllib3": "^2.0.0" }, "openclaw": { "entrypoint": "scripts/portainer_manager.py"
Confidence: 88% confidence
Finding: "urllib3": "^2.0.0"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal