Docker MCP Toolkit
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly transparent and purpose-aligned, but it gives OpenClaw broad Docker MCP control that can invoke high-impact tools and persistently change enabled MCP servers.
Install only if you intend to let OpenClaw manage and invoke Docker MCP tools. Keep enabled MCP servers minimal, inspect tool schemas before use, require explicit approval for writes/config changes/code execution, use least-privilege credentials, and keep the MCP gateway bound to localhost.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If those MCP tools are enabled, an agent could potentially change MCP configuration, run code, or mutate connected systems such as databases.
This documents a generic path for the agent to call management and execution-style MCP tools; the artifacts do not show a tool allowlist or approval boundary for high-impact calls.
Docker’s gateway can expose management tools like: ... `mcp-config-set`, `mcp-remove`, `mcp-exec`, `code-mode` ... call them via `docker mcp tools call <tool>`
Restrict enabled MCP servers and tools, use read-only or least-privilege credentials, and require explicit user approval or an allowlist before mcp-exec, code-mode, config, or write operations.
A server enabled for one task may remain available later, expanding what future agent sessions can do.
Enabling an MCP server changes the Docker MCP configuration and can make additional tools available to later workflows.
docker mcp server enable "$SERVER"
Confirm server names before enabling them, keep only necessary servers enabled, and disable unused servers after a task.
MCP tools may act with the permissions of configured database or service credentials.
The skill expects MCP servers to use external credentials; this is purpose-aligned and includes good guidance, but those credentials define the agent's delegated authority.
Prefer Docker Desktop’s secrets/keychain integration when possible. ... Use least-privilege credentials (separate Neon role with only required grants).
Use dedicated, least-privilege credentials and avoid pasting secrets into chat; rotate any credential that is exposed.
If the MCP endpoint is exposed beyond localhost, other clients could potentially reach tools intended for local use.
The skill relies on an MCP gateway/endpoint boundary; the artifact correctly warns that exposing it publicly would increase risk.
Bind ports to **127.0.0.1** by default. Do **not** expose the MCP endpoint publicly.
Keep the gateway bound to localhost, use SSH or WireGuard for remote access, and do not open MCP ports directly to the internet.
Users may be surprised by the local tool requirements or by the fact that the skill depends on Docker MCP CLI access.
The included scripts require local Docker and jq even though the registry metadata lists no required binaries; no hidden download or remote installer is shown.
if ! command -v docker >/dev/null 2>&1; then ... if ! command -v jq >/dev/null 2>&1; then
Declare Docker, docker mcp, and jq requirements in metadata and make the shell/Docker capability clear before installation.