Back to skill

Security audit

Docker Optimizer

Security checks across malware telemetry and agentic risk

Overview

This skill is a Dockerfile optimization guide with disclosed, purpose-aligned examples and no hidden execution or persistence behavior.

Install appears reasonable for users who want Dockerfile optimization guidance. Before running generated Docker commands, review the Dockerfile and .dockerignore, avoid passing real credentials to untrusted builds, and prefer temporary project-scoped secret files when testing private registry access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The skill includes `docker build --secret id=npmrc,src=$HOME/.npmrc .`, which can cause local credential material from the user's home directory to be injected into a build context and potentially used to access external package services. Although BuildKit secrets are a legitimate Docker feature, the example provides no warning about privacy, credential sensitivity, or the risk of exposing repository or host data during networked builds.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.