Claw Stack Manager
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Portainer stack-management purpose, but it has review-worthy risks: it silently reads a hard-coded local .env file, embeds the Portainer API key into a helper container command, and force-removes containers named ng-agent without clear disclosure.
Review the script before installing. Only use it with a dedicated, least-privilege Portainer API key, remove or change the hard-coded .env loading, confirm that deleting ng-agent containers is intended, and expect it to stop/redeploy Docker stacks and create a temporary host-network helper container.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A container unrelated to the requested stack update could be forcibly removed, causing service disruption or data loss depending on what ng-agent is on the user's host.
The redeploy flow automatically force-deletes containers matching the name pattern ng-agent, which is not described in SKILL.md and may be outside the selected stack.
api("DELETE", f"/endpoints/{EP}/docker/containers/{c['Id']}?force=true") ... cleanup_container("ng-agent")Remove the ng-agent cleanup, restrict cleanup to exact containers created by this skill, and require explicit user confirmation before deleting any existing container.
The skill may use credentials from an unexpected local workspace file and then apply them to high-impact Docker/Portainer operations.
The script silently reads a user-specific local .env file and may obtain the Portainer API key from it instead of only using explicitly supplied environment variables.
_env_path = '/home/node/.openclaw/workspace/liyj/.env' ... os.environ.setdefault(_k.strip(), _v.strip()) ... KEY = os.environ.get("PORTAINER_API_KEY")Do not auto-load a hard-coded .env path. Require the user to explicitly provide PORTAINER_API_KEY and PORTAINER_URL, and declare those credentials in metadata.
Anyone or anything with access to inspect the helper container may be able to recover the Portainer API key.
The Portainer API key is interpolated into the shell script used as the Docker container command, which can make the secret visible in container configuration/inspection until the helper is removed.
f'curl -sS -X POST -H "X-API-Key: {KEY}" ' ... "Cmd": ["/bin/sh", "-c", script.strip()]Avoid embedding secrets in inspectable command strings, use a short-lived limited-scope token if possible, and remove the helper container immediately after completion.
A compromised or changed upstream image/package could affect the helper container that performs redeploy operations.
The redeployer uses an unpinned Alpine image, installs curl at runtime, and runs with host networking. This is purpose-aligned with the helper-container design but increases dependency and network exposure.
"Image": "alpine:latest" ... 'apk add -q curl\n' ... "HostConfig": {"NetworkMode": "host"}Pin the helper image by digest, avoid runtime package installation where possible, and use the narrowest network mode that can still reach Portainer.