Back to skill

Security audit

Docker Volume Backup Or Restore

Security checks across malware telemetry and agentic risk

Overview

This Docker backup skill appears purpose-built, but it has high-impact Docker access and under-discloses password exposure and restore overwrite behavior enough to warrant review before use.

Install only if you are comfortable giving the skill Docker-level access to all local volumes and registry push/pull authority. Run dry-run first, use an explicit private registry target, avoid reusing an important password, and do not restore onto a host with important same-named volumes unless you have verified the backup image and destination.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The usage text explicitly says the encryption password is never read from an environment variable, but the script exports it and passes it into containers via `-e ENCRYPT_PASSWORD=...` and uses `openssl ... -pass env:ENCRYPT_PASSWORD`. That contradiction can mislead operators into thinking the secret will not be exposed through process environments, Docker inspection metadata, shell history, or debugging tools, increasing the chance of credential disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The restore path creates or reuses named Docker volumes and copies decrypted backup contents into them without any confirmation step or overwrite safeguard. In a backup/restore skill this is contextually more dangerous because the operation can irreversibly replace live application data if the wrong image, host, or volume names are used.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.