ClawHub
Back to skill
v0.1.1

Portainer

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:28 AM.

Analysis

This appears to be a real Portainer/Docker management skill, but it grants broad infrastructure control through a powerful API key and raw Docker proxy.

GuidanceTreat this like giving the agent admin access to your Docker environment. Install only if you trust the source, use a least-privilege Portainer token, require manual approval for deploy/update/remove/raw Docker commands, enable proper TLS verification, and avoid inspecting stacks that contain secrets unless you are comfortable exposing them in chat.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
scripts/portainer_manager.py
url = f"{PORTAINER_API_URL}/endpoints/{environment_id}/docker{path}" ... elif method.upper() == "DELETE": response = requests.delete(url, headers=headers, json=payload, timeout=10, verify=False)

The skill proxies caller-supplied Docker API paths and permits mutating methods including POST and DELETE through Portainer, with no artifact-level allowlist or confirmation gate.

User impactA mistaken or hijacked request could restart, create, alter, or delete Docker resources in the connected environment.
RecommendationUse only with explicit user approval for deploy/update/remove/raw Docker calls, restrict allowed Docker paths and methods, and prefer least-privilege Portainer roles.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
README.md
openclaw skill install https://github.com/Leventsoft/portainer-skill-openclaw ... RUN pip3 install requests --break-system-packages

The setup guidance is user-directed, but it relies on a GitHub source and recommends a global Python package install that bypasses normal system-package protections.

User impactUsers may install code or dependencies without pinning a trusted revision, which matters because the skill controls infrastructure.
RecommendationPin the skill source to a trusted commit or release, install Python dependencies in a virtual environment, and avoid --break-system-packages where possible.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
scripts/portainer_manager.py
headers = {"X-API-Key": token, "Content-Type": "application/json"} ... requests.get(f"{PORTAINER_API_URL}/endpoints", headers=headers, timeout=10, verify=False)

The script sends a powerful Portainer API key on requests while disabling TLS certificate verification; similar verify=False usage appears across the API operations.

User impactThe API key could be exposed to a network attacker if used against a remote Portainer URL, and that key can manage Docker infrastructure.
RecommendationEnable certificate verification by default, document the required credential and environment variables, and use a narrowly scoped/revocable Portainer API token.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusNote
README.md
`inspect_stack(stack_id)` | Returns full JSON details for a specific stack (services, env vars, etc).

Stack details and environment variables may include secrets or internal configuration that would be returned into the agent/chat context.

User impactSecrets embedded in Compose files or stack environment variables could be displayed or retained in conversation history.
RecommendationRedact sensitive fields by default and ask the user before printing full stack files or environment variables.