ClawHub

Astra Docker

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it gives an agent powerful Docker command access and builds those commands unsafely, so it should be reviewed before use.

Install only if you trust the Astra Docker container and are comfortable giving the agent sudo Docker command authority. Prefer a revised version that uses safe argument-based process execution, validates paths under /workspace, avoids host shell interpolation, and asks for confirmation before state-changing commands or file writes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The invocation guidance is overly broad because it directs use of the skill whenever interaction with a virtual environment or workspace is needed, which can cause the skill to be selected for many ordinary requests without adequate scoping or safety checks. In this case, the skill grants command execution in a persistent Docker container, so overbroad triggering increases the chance of unnecessary or unsafe command execution against the containerized environment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation explicitly instructs the agent to run shell commands in a Docker container via `sudo docker exec` but provides no warning, restrictions, or approval model for commands that can alter files, install software, access secrets, or disrupt the persistent workspace. Even though the target is a container, the environment is persistent and mounted at `/workspace`, so unsafe commands can still cause durable damage, data exposure, or privilege-sensitive operations within the agent's working context.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
This tool directly concatenates user-controlled input into a shell command and executes it via `exec`, then also passes that input into `bash -c` inside the container. That creates straightforward command-injection risk on the host-side Docker invocation and enables arbitrary command execution in the container with no confirmation, policy checks, or argument separation.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The file-write tool constructs a shell command using attacker-controlled `filepath` and `content`, but only partially escapes content and does not safely quote or validate the path. An attacker can inject shell metacharacters through `filepath`, redirect writes to unintended locations, or execute additional commands inside the container, all without user warning or confirmation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal