Back to skill

Security audit

Docker Diag

Security checks across malware telemetry and agentic risk

Overview

This Docker diagnostic skill has a legitimate purpose, but its helper script can be abused to run unintended local shell commands through a crafted container name.

Review before installing. The Docker diagnostic purpose is reasonable, but this version should be fixed to call Docker with an argument list and shell=False, validate container names, and warn or redact sensitive log data before analysis. Use only with container names you control and avoid running it on logs containing secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 1. Fetch the logs using shell
    try:
        cmd = f"docker logs --tail {max_lines} {container_name}"
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
        lines = result.stderr.splitlines() + result.stdout.splitlines() # Docker logs often hit stderr
    except Exception as e:
        return f"Error fetching logs: {str(e)}"
Confidence
98% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares executable binaries and instructs the agent to run a shell command against a user-supplied container name, but it does not declare corresponding permissions or constraints. This creates a real capability/permission mismatch: the skill can invoke local tooling and Docker, which may expose container metadata, logs, or trigger unsafe command construction in downstream components.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
For a log-analysis skill, invoking a shell to fetch logs expands the attack surface beyond the stated purpose and is not necessary for functionality. In this implementation the shell use is especially risky because the command is dynamically built from input, making the unjustified shell execution a practical exploitation path rather than a theoretical concern.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation phrases are broad enough that ordinary troubleshooting requests could trigger code execution and Docker access without a clearly bounded user intent check. In this context, broad triggering is more dangerous because the skill immediately moves from natural-language diagnosis to running a local command on a potentially sensitive host environment.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The skill executes a docker command on the host without any user-facing disclosure, which is a security-relevant behavior because it interacts with local infrastructure and may expose logs from sensitive containers. While lack of warning alone is not code execution, in agent/tooling contexts it reduces informed consent and makes misuse more dangerous.

Unvalidated Output Injection

High
Category
Output Handling
Content
# 1. Fetch the logs using shell
    try:
        cmd = f"docker logs --tail {max_lines} {container_name}"
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
        lines = result.stderr.splitlines() + result.stdout.splitlines() # Docker logs often hit stderr
    except Exception as e:
        return f"Error fetching logs: {str(e)}"
Confidence
97% confidence
Finding
subprocess.run(cmd, shell=True, capture_output

Tool Parameter Abuse

High
Category
Tool Misuse
Content
# 1. Fetch the logs using shell
    try:
        cmd = f"docker logs --tail {max_lines} {container_name}"
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
        lines = result.stderr.splitlines() + result.stdout.splitlines() # Docker logs often hit stderr
    except Exception as e:
        return f"Error fetching logs: {str(e)}"
Confidence
96% confidence
Finding
subprocess.run(cmd, shell=True

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.