v1.0.2

wagmios

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:51 AM.

Analysis

This is a coherent WAGMIOS/Docker management skill, but it gives the agent real container-management power, so users should limit API scopes and use trusted hosts.

GuidanceThis skill is appropriate if you want an agent to manage WAGMIOS/Docker, but treat it like granting control over part of your server. Provide only limited scoped API keys, use separate keys for each host, prefer secure local/VPN/HTTPS connections, confirm service interruptions or deletions, and review marketplace apps before starting them.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

SKILL.md

| `containers:write` | Create, start, stop, restart containers | ... | `containers:delete` | Remove containers (with user confirmation) | ... | `marketplace:write` | Install, start, stop marketplace apps |

The skill intentionally exposes Docker/container mutation through the WAGMIOS API. This fits the stated purpose, but these actions can affect running services and stored application data.

User impactIf granted broad scopes, the agent can change, stop, install, or delete Docker resources on the user’s host.

RecommendationGrant only the scopes needed for the current task, keep delete scopes off unless required, and require explicit confirmation before stopping services, deleting resources, or installing new apps.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusNote

references/api.md

POST /api/marketplace/start ... Pulls image and starts the container(s) via `docker compose up -d`.

Marketplace app installation necessarily pulls and runs container images/compose definitions. This is expected for the feature, but image and compose provenance are not described in the skill artifacts.

User impactInstalling an app may run third-party container images and expose services or ports on the host.

RecommendationInstall only trusted marketplace apps, review ports and environment variables before starting, and prefer pinned or well-known images where possible.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

Every request requires the `X-API-Key` header. The user provides the key and base URL at runtime — do not store it.

The skill relies on a scoped API key that delegates Docker-management authority to the agent. The artifact gives appropriate handling instructions, but the credential is still sensitive.

User impactAnyone with the API key can perform the Docker actions allowed by that key’s scopes.

RecommendationUse separate limited-scope keys per host, rotate keys if exposed, and never paste keys into logs, shared chats, or untrusted contexts.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

references/api.md

GET /api/containers/{id}/logs?tail=100 ... Returns container log output. ... GET /api/containers/{id}/config ... Returns the full container configuration (environment, volumes, ports, etc.).

Container logs and configs may contain secrets, sensitive paths, or untrusted text that the agent will ingest as context.

User impactThe agent may see environment variables, service paths, log contents, or other private operational details from containers.

RecommendationAvoid requesting logs/configs from containers that may contain secrets unless necessary, and treat log text as untrusted diagnostic data rather than instructions.

Insecure Inter-Agent Communication

SeverityLowConfidenceMediumStatusNote

references/api.md

**Base URL:** `http://localhost:5179` (user provides — may differ for remote/multi-machine setups)

The documented default is local HTTP, and the skill supports remote or multi-machine URLs. Remote use over plain HTTP could expose API keys or container data on the network.

User impactIf a remote WAGMIOS instance is accessed over an unencrypted network, the API key and operational data could be intercepted.

RecommendationUse localhost, a trusted VPN/SSH tunnel, or HTTPS/TLS for remote hosts, and avoid exposing the WAGMIOS port directly to untrusted networks.