Claw Stack Manager
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: claw-stack-manager Version: 5.1.0 The skill manages Docker stacks via the Portainer API and utilizes a 'one-shot redeployer' mechanism in `scripts/manage.py` that creates a temporary Alpine container to perform updates. This mechanism embeds the sensitive `PORTAINER_API_KEY` directly into the container's shell command, making it visible via process monitoring or container inspection. The script also references a hardcoded, user-specific environment path (`/home/node/.openclaw/workspace/liyj/.env`) and performs cleanup on an undocumented container name (`ng-agent`). While these behaviors represent significant security risks and poor credential handling, they appear to be functional components of the stack management logic rather than intentional malware.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A container unrelated to the requested stack update could be forcibly removed, causing service disruption or data loss depending on what ng-agent is on the user's host.
The redeploy flow automatically force-deletes containers matching the name pattern ng-agent, which is not described in SKILL.md and may be outside the selected stack.
api("DELETE", f"/endpoints/{EP}/docker/containers/{c['Id']}?force=true") ... cleanup_container("ng-agent")Remove the ng-agent cleanup, restrict cleanup to exact containers created by this skill, and require explicit user confirmation before deleting any existing container.
The skill may use credentials from an unexpected local workspace file and then apply them to high-impact Docker/Portainer operations.
The script silently reads a user-specific local .env file and may obtain the Portainer API key from it instead of only using explicitly supplied environment variables.
_env_path = '/home/node/.openclaw/workspace/liyj/.env' ... os.environ.setdefault(_k.strip(), _v.strip()) ... KEY = os.environ.get("PORTAINER_API_KEY")Do not auto-load a hard-coded .env path. Require the user to explicitly provide PORTAINER_API_KEY and PORTAINER_URL, and declare those credentials in metadata.
Anyone or anything with access to inspect the helper container may be able to recover the Portainer API key.
The Portainer API key is interpolated into the shell script used as the Docker container command, which can make the secret visible in container configuration/inspection until the helper is removed.
f'curl -sS -X POST -H "X-API-Key: {KEY}" ' ... "Cmd": ["/bin/sh", "-c", script.strip()]Avoid embedding secrets in inspectable command strings, use a short-lived limited-scope token if possible, and remove the helper container immediately after completion.
A compromised or changed upstream image/package could affect the helper container that performs redeploy operations.
The redeployer uses an unpinned Alpine image, installs curl at runtime, and runs with host networking. This is purpose-aligned with the helper-container design but increases dependency and network exposure.
"Image": "alpine:latest" ... 'apk add -q curl\n' ... "HostConfig": {"NetworkMode": "host"}Pin the helper image by digest, avoid runtime package installation where possible, and use the narrowest network mode that can still reach Portainer.