Dolphindb Docker
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its DolphinDB Docker deployment purpose, but review is warranted because it gives the container broad host access, loosens data-directory permissions, and may expose ports beyond localhost.
Install only if you are comfortable with a Docker deployment that can modify local Docker state and mount host files. Before running it, change the /etc mount to a minimal read-only mount if possible, bind ports to 127.0.0.1 for local-only use, and choose a dedicated empty data directory so the recursive permission change cannot affect unrelated files.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The DolphinDB container image could read sensitive host configuration and, on Linux Docker setups, may be able to modify files under /etc.
The Docker container receives a bind mount of the host /etc directory without a read-only flag. The skill says this is for license fingerprinting, but the command grants broad host configuration access to the container.
-v /etc:/dolphindb/etc
Avoid running as-is unless this host access is required and trusted. Prefer a minimal read-only mount, such as a specific fingerprint/license file with ':ro', and verify DolphinDB's exact licensing requirement.
The DolphinDB web/API ports may be reachable from the local network, not just from the user's own machine, depending on Docker and firewall settings.
Docker port mappings without a host bind address typically listen on all host interfaces, while the documentation frames access as localhost.
-p 8848:8848 \
-p 8849:8849Bind ports to localhost when local-only access is intended, for example '-p 127.0.0.1:8848:8848', or clearly require firewalling and authentication before network exposure.
If the chosen path contains existing database files, licenses, logs, or unrelated files, their permissions may be broadened and made readable/executable by other local users.
The script recursively changes permissions on the user-selected data directory after initialization or even when the directory is already non-empty.
chmod -R 755 "$DATA_DIR"
Use a dedicated empty data directory, validate that the path is safe, and replace recursive 755 permissions with minimal ownership and permissions needed by the container.
Users are trusting the current Docker Hub image behind the selected tag, which matters more because the container receives host mounts and published ports.
The deployment pulls a Docker image by repository tag, which is expected for this Docker deployment skill but means the image content is not pinned by digest.
docker pull "$FULL_IMAGE"
Prefer pinning reviewed image digests for production or sensitive hosts, and review the image source before granting host filesystem access.