Portainer
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill matches its Portainer-management purpose, but it gives an agent broad Docker infrastructure control and weakens API-key transport safeguards.
Install only if you are comfortable giving OpenClaw controlled access to Portainer. Use a least-privilege API token, require explicit approval for destructive or raw Docker commands, enable proper TLS verification, and avoid printing stack files that contain secrets.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or manipulated invocation could restart, delete, or alter containers, networks, volumes, or other Docker resources within the Portainer account’s permissions.
The caller controls the Docker API path, method, and payload, allowing broad GET/POST/DELETE operations through Portainer with no allowlist or confirmation check in the artifact.
def execute_docker_command(environment_id, path, method="GET", payload=None): ... url = f"{PORTAINER_API_URL}/endpoints/{environment_id}/docker{path}" ... requests.post(...) ... requests.delete(...)Use a least-privilege Portainer token, require explicit user confirmation for deploy/remove/raw Docker actions, and add allowlists or blocklists for Docker API endpoints.
Someone able to intercept network traffic could potentially capture the Portainer API key or tamper with infrastructure-management responses.
API-key-authenticated Portainer requests disable certificate verification and suppress the related warnings, which can expose the token or allow command interception if used against a remote or spoofed endpoint.
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) ... headers = {"X-API-Key": token, "Content-Type": "application/json"} ... verify=FalseEnable TLS verification by default, support a configured CA bundle for self-signed Portainer deployments, and make any insecure mode explicit and limited to trusted local use.
Users may not get a clear registry-level warning that this skill needs a powerful infrastructure API credential.
The registry metadata does not declare the Portainer credential even though the skill documentation and backend require a Portainer API token, reducing transparency in credential prompting and review.
Required env vars: none; Env var declarations: none; Primary credential: none
Declare the Portainer URL and API token requirements in metadata and align the documented OpenClaw config names with the environment variables used by the script.
Secrets or internal configuration embedded in stack files could appear in chat output or logs.
Stack inspection can print full stack file contents into the agent output; compose files and stack JSON may contain environment variables or other sensitive configuration.
output_data["StackFileContent"] = file_response.json().get("StackFileContent", "") ... print(json.dumps(output_data, indent=2), flush=True)Redact likely secrets and environment values by default, and ask before displaying full stack files.
Manual global dependency installation can introduce dependency conflicts or unreviewed package provenance risk.
The setup guidance asks users to install Python packages globally outside a reviewed install spec or lockfile. This is user-directed and purpose-aligned, but it changes the runtime environment.
RUN pip3 install requests --break-system-packages
Prefer a pinned requirements file or virtual environment, and review/pin the source before installing.