Back to skill

Security audit

Docker Manager

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Docker management skill, but it gives an agent broad Docker control, including deletion, forced cleanup, and in-container command execution, without enough safety scoping or warnings.

Install only if you want the agent to administer Docker on this machine. Confirm exact targets before using stop, restart, rm, rmi, prune, or exec, and avoid using this on production or sensitive hosts unless the agent is explicitly trusted with Docker-level control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documents shell-capable command execution patterns but does not declare any permissions, which undermines least-privilege review and informed consent. In a Docker-management context, shell access can directly stop services, delete containers/images, and expose sensitive logs, so undeclared capability meaningfully increases risk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior exceeds the declared purpose by including restart, inspect, image management, prune, and even in-container command execution references. This mismatch is dangerous because reviewers and users may authorize a seemingly limited observability/management skill without realizing it also supports broader and destructive operational actions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill advertises container management and monitoring, but also exposes image deletion and broad prune operations including volumes and system-wide cleanup. In an agent context, this materially expands blast radius and can cause irreversible data loss or service disruption beyond what a user may reasonably expect from the manifest.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This exposes arbitrary command execution inside any specified container, which is substantially more powerful than viewing, starting, stopping, or monitoring containers. In an agent-integrated environment, an attacker or prompt injection could use this to read secrets, modify application state, install tooling, pivot within the container network, or damage workloads.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Broad triggers like generic Docker/container terms can cause the skill to activate in contexts where the user did not intend to perform container administration. Because this skill includes destructive operations, unintended invocation raises the chance of accidental service disruption or data loss.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation advertises deletion of containers/images without warning users about irreversibility, service interruption, or possible data loss. In a Docker-admin skill, omission of safety warnings materially increases the likelihood of accidental destructive use by operators who assume the commands are routine and safe.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The examples explicitly show bulk stop and prune operations without cautionary context, which can normalize high-impact commands and lead users to execute them in production. Given the operational context, accidental invocation could halt all running services or remove resources needed for recovery and debugging.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Prune operations are destructive and run with force flags, eliminating Docker's built-in confirmation while potentially deleting stopped containers, unused images, volumes, and other resources. In a skill or agent setting, accidental invocation or manipulated input can quickly cause broad operational outages and unrecoverable data loss.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Container deletion is a destructive action, and this implementation performs it immediately without a pre-action warning or confirmation. In an automated agent workflow, this increases the chance of accidental deletion of the wrong container and avoidable service interruption.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Image deletion is also destructive and can break future container starts or deployments if base images are removed unexpectedly. The lack of confirmation makes accidental or induced removal more likely in agent-driven use.

Overly Broad Trigger

Low
Category
Trigger Abuse
Confidence
89% confidence
Finding
The single-word trigger '容器' is overly generic and likely to match unrelated conversations about containers, increasing unintended skill activation. Because the skill can perform stop/remove/prune actions, accidental routing into this skill raises real operational risk beyond a mere UX issue.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.