Back to skill
Skillv1.0.1
ClawScan security
Dockerfile Optimizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 2, 2026, 9:05 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose, instructions, and required resources are consistent: it's an instruction-only Dockerfile reviewer/optimizer that does not request extra credentials, binaries, or installs and stays within its stated scope.
- Guidance
- This skill appears coherent and low-risk: it only needs the Dockerfile text you provide and will return an optimized Dockerfile plus explanations. Before using it, avoid pasting secrets or credentials into the Dockerfile content you send; be prepared to test the suggested Dockerfile locally because changes like switching to Alpine or using a different libc (musl) can break binaries or native dependencies; and review the recommended changes (user/account permissions, base image, multi-stage builds) to ensure they don't change runtime behavior for your app. If you want the skill to analyze a whole repository, prefer sending only the Dockerfile and related manifest files (package.json, go.mod, requirements.txt) rather than full source with secrets.
Review Dimensions
- Purpose & Capability
- okThe name and description (optimize Dockerfiles for size, layers, build time, and security) match the SKILL.md and README guidance. There are no unrelated required env vars, binaries, or config paths.
- Instruction Scope
- okThe runtime instructions focus on analyzing provided Dockerfile content and returning an optimized Dockerfile plus explanations. They do not instruct the agent to read system files, access credentials, or transmit data to external endpoints. The SKILL.md includes sensible safeguards (language detection, warning about Alpine/musl compatibility, `.dockerignore` reminders).
- Install Mechanism
- okNo install spec and no code files — this is instruction-only. Nothing will be downloaded or written to disk by an installer, which minimizes risk.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The instructions do not reference any hidden env vars or secrets.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system privileges or modify other skills. Autonomous invocation is allowed by platform default but the skill itself does not ask for elevated or persistent presence.