Docker官网镜像拉取能力
WarnAudited by ClawScan on May 14, 2026.
Overview
The skill’s Docker-mirror workflow is coherent, but it asks for high-impact GitHub/CNB credentials and includes an overbroad GitHub token instruction that users should review carefully.
Install only if you are comfortable letting the skill create or modify a private GitHub repository, add Repository Secrets, and use Docker locally. Prefer GitHub CLI login or a fine-grained token limited to the mirror repository; avoid giving a classic full repo token, protect ~/.openclaw/.env with restrictive permissions, and review the workflow before running setup.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A broad GitHub token could allow repository and workflow access beyond this Docker mirror setup if the token is mishandled or reused.
The script requires a GitHub token and, when login is missing, instructs the user to grant full repo plus workflow permissions. That is broader than the stated single private mirror repository need and gives high-impact access to the user's GitHub account.
[[ -z "$GITHUB_TOKEN" ]] && { error "GITHUB_TOKEN 未设置"; missing=$((missing+1)); } ... echo "所需权限:repo (全部) + workflow"Do not provide a classic GitHub token with full repo scope. Prefer gh auth login or a fine-grained token limited to the specific cnb-docker-sync repository, and remove or rotate tokens after setup.
Running setup can change your GitHub account state, store secrets in GitHub, and modify your local Docker image cache.
The script creates or modifies a GitHub repository, writes repository secrets, pushes workflow content, and pulls Docker images. These actions fit the stated purpose, but they are high-impact account and local-environment operations.
gh repo create "${REPO_NAME}" --private --clone=false ... gh secret set CNB_TOKEN --repo "${REPO_FULL}" --body "${CNB_TOKEN}" ... git push origin main ... docker pull "$CNB_IMAGE"Run the setup only when you intend these changes, verify the target GitHub repository name, and review the workflow before allowing the script to push it.
Future changes to those tagged GitHub Actions could affect the workflow that handles your CNB token and Docker images.
The installed workflow depends on external GitHub Actions referenced by version tags rather than immutable commit SHAs. These are common, purpose-aligned dependencies, but they are still part of the trusted execution path.
uses: actions/checkout@v4 ... uses: docker/setup-buildx-action@v3 ... uses: docker/login-action@v3
If you need stronger supply-chain control, pin the GitHub Actions to reviewed commit SHAs in your private repository.