ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Docker Container Rerun

Safely check whether a Docker container's image has changed and, only when needed, recreate that docker run container with a user-provided original docker ru...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 37 · 0 current installs · 0 all-time installs
byHongWei Jiang@ugvfpdcuwfnh
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the contained behavior. The script and SKILL.md only call docker commands and perform image Id comparison and optional recreate; no unrelated binaries, cloud credentials, or config paths are requested.
Instruction Scope
SKILL.md stays within scope (only docker run containers, explicit recreate_command, conservative actions). The bundled script implements the described workflow. Note: the script executes the provided recreate_command with shell=True (/bin/bash), which is necessary to run arbitrary docker run invocations but means the agent will run whatever shell constructs exist in the user-supplied command. The skill's docs explicitly require user confirmation before applying, which is the correct mitigator — ensure that confirmation is enforced.
Install Mechanism
No install spec; instruction-only skill with a bundled Python script. Nothing is downloaded or written during installation.
Credentials
No environment variables, credentials, or config paths are requested. All required inputs are user-provided (container_name and recreate_command), which is appropriate for the stated task.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges or modify other skills. It runs only when invoked.
Assessment
This skill appears coherent and implements exactly what it claims: compare image Ids and optionally recreate a docker run container. Before using it, ensure you only provide trusted recreate_command strings (the script will execute the command via /bin/bash). Always confirm the exact recreate command and require --apply explicitly before the skill performs stop/rm/run. If you might receive recreate_command values from untrusted sources, do not allow automatic apply and manually inspect the command for unintended shell constructs or additional commands chained to it.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97bptjh1vn9qgxbk5dxpb7dvh83kb5j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Docker Container Rerun

Update a docker run container with a conservative workflow.

Required Inputs

Require both of these from the user:

  • container_name
  • recreate_command

Treat recreate_command as the source of truth. Do not try to reconstruct missing flags from docker inspect.

Scope

Support only containers originally managed by docker run.

Do not use this skill for:

  • docker compose
  • guessing or synthesizing missing run flags
  • deleting volumes
  • docker system prune
  • changing environment variables, mounts, ports, labels, or networks unless the user explicitly changed the recreate command

Update Rule

Always compare image Id values, not repo digests.

Use this exact logic:

  1. Read current image Id from the running container: 
    docker inspect -f '{{.Image}}' <container_name>
  2. Extract the image reference from recreate_command.
  3. Pull the latest version of that image: 
    docker pull <image>
  4. Read the latest local image Id: 
    docker image inspect <image> --format '{{.Id}}'
  5. Recreate the container only if the two Id values differ.

Safety Rules

Before any destructive action, restate the exact recreate command that will be used.

If recreate_command is missing, ambiguous, or not clearly a docker run command, stop and ask the user to provide a valid full command.

If the image cannot be extracted from recreate_command, stop and ask the user to provide the image explicitly inside the command.

Never silently modify the recreate command.

Prefer this sequence when update is needed:

docker stop <container_name>
docker rm <container_name>
<recreate_command>

Validation of recreate_command

Before using it, verify all of the following:

  • starts with docker run
  • includes an image name as the final image argument before any container command
  • clearly targets the same logical container the user wants updated

If the command includes an inline container command after the image, preserve it exactly.

If the command is multiline, preserve it exactly.

Recommended Execution Workflow

  1. Confirm the target container name.
  2. Echo back the exact recreate command.
  3. Extract the image from the recreate command.
  4. Compare current image Id and latest pulled image Id.
  5. If Ids match, report that the container is already up to date and do nothing else.
  6. If Ids differ:
    • run docker stop <container_name>
    • run docker rm <container_name>
    • run the exact recreate_command
  7. Verify startup with: 
    docker ps --filter name=<container_name>
docker inspect <container_name>
docker logs --tail 100 <container_name>
  8. Report status clearly, including whether healthcheck is healthy, starting, or absent.

Bundled Script

Use the bundled script when you want a deterministic check/apply flow:

python3 scripts/update_docker_run_container.py \
  --container-name <container_name> \
  --recreate-command '<full docker run command>'

Add --apply only when the user has approved the exact recreate command and actual recreation should happen.

The script will:

  • validate recreate_command
  • extract the image
  • pull the latest image
  • compare current vs latest image Id
  • optionally stop/remove/recreate
  • emit JSON summary with container state, health status, and recent logs

Output Expectations

When reporting results, include:

  • target container name
  • extracted image name
  • current image Id
  • latest image Id
  • whether recreation was needed
  • post-recreate container state
  • health status if present
  • any obvious log errors seen in recent logs

Example Pattern

Input:

  • container_name: my-container
  • recreate_command: 
    docker run -d --network host --name my-container --restart unless-stopped -v example_data:/data -v example_certs:/etc/ssl/certs -e DB_HOST=<db_host> -e DB_PORT=<db_port> -e DB_NAME=<db_name> -e DB_USER=<db_user> -e DB_PASSWORD=<db_password> --health-cmd="/bin/check-health" --health-interval=600s --health-retries=5 --health-timeout=3s example/image:latest

Expected behavior:

  • extract image example/image:latest
  • compare current container image Id vs pulled latest image Id
  • recreate only if the Ids differ
  • preserve the recreate command exactly

Notes

When users ask to "update container X", prefer asking for the original docker run command unless it is already documented in memory or provided in the current request.

If the user has a known fixed recreate command for a specific container, prefer using that exact command unchanged.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…