Back to skill

Security audit

Docker Container Rerun

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about updating Docker containers, but its apply mode can run a user-supplied command through Bash and expose container logs, so it needs careful review before installation.

Install only if you are comfortable giving the agent Docker control over the target host. Before using --apply, inspect the full recreate command for shell operators such as ;, &&, |, redirects, $(), or backticks, and treat returned container logs as potentially sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def recreate(recreate_command: str) -> None:
    proc = subprocess.run(recreate_command, shell=True, executable="/bin/bash", text=True)
    if proc.returncode != 0:
        raise CommandError("recreate_command execution failed")
Confidence
99% confidence
Finding
proc = subprocess.run(recreate_command, shell=True, executable="/bin/bash", text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill explicitly instructs the agent to execute shell-based Docker commands, including destructive actions like stopping, removing, and recreating containers, but the metadata shown does not declare corresponding permissions. That mismatch is a real security issue because users and policy systems may not realize the skill can perform host-level operations with significant operational impact.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill collects and returns docker inspect output, status, health, and the last 100 log lines even though its stated purpose is image-ID comparison and conditional recreation. Container logs and runtime metadata commonly contain secrets, internal endpoints, tokens, user data, and operational details, so this broadens data exposure unnecessarily.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Executing the provided recreate command through bash permits arbitrary shell execution beyond Docker container recreation. Because the skill explicitly asks for a user-supplied original docker run command, the context makes this especially dangerous: an attacker can smuggle host-level commands into what appears to be a routine container update workflow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.