ClawHub

Docker Osx

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, but it can expose a privileged macOS VM over the network and remove VM state without clear safeguards.

Install only on a trusted Linux host where you understand Docker/KVM risks. Bind SSH and VNC to localhost or firewall them, change the default password immediately, review the Docker-OSX image source, and assume stop/start may remove unpersisted VM state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.run(['docker', 'rm', '-f', CONTAINER_NAME], capture_output=True)
    
    # Start container
    result = subprocess.run([
        'docker', 'run', '-d',
        '--device', '/dev/kvm',
        '-p', '50922:10022',
Confidence
90% confidence
Finding
result = subprocess.run([ 'docker', 'run', '-d', '--device', '/dev/kvm', '-p', '50922:10022', '-p', '5900:5900', '--name', CONTAINER_NAME, IMAGE

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documents shell-capable commands and installation steps but declares no permissions or safety boundaries. That mismatch can cause an agent or user to invoke privileged local actions without appropriate review, which is especially sensitive here because the skill manages Docker and KVM-backed virtualization.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill exposes a default SSH password (`alpine`) for a reachable service without any warning to rotate it or restrict access. In a Docker/KVM setup, this can lead to unauthorized access to the macOS VM if ports are exposed beyond localhost or if the host is multi-user/shared.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The stop path unconditionally stops and removes the container without any confirmation, dry-run, or warning about data loss. In this skill, the container may hold an active macOS build environment, so a mistaken invocation can destroy work or interrupt automation unexpectedly.

Natural-Language Policy Violations

Medium
Confidence
99% confidence
Finding
The skill discloses and relies on a fixed default password (`alpine`) for SSH/VNC access. Combined with published ports, this creates a straightforward unauthorized-access path if the service is reachable beyond localhost, and the context makes it more dangerous because the VM is explicitly intended for remote interactive use.

External Script Fetching

Low
Category
Supply Chain
Content
| Error | Fix |
|-------|-----|
| KVM not available | Server needs hardware virtualization |
| Docker not installed | `curl -sSL get.docker.com | sh` |

## Resources
Confidence
93% confidence
Finding
curl -sSL get.docker.com | sh

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal