Docker 镜像拉取工具
WarnAudited by ClawScan on May 12, 2026.
Overview
The skill matches its Docker image download purpose, but it disables HTTPS certificate checks and builds shell commands from user-supplied image names, creating risks of tampered downloads, credential exposure, or command injection.
Review carefully before installing. Prefer a version that keeps HTTPS certificate verification enabled, validates downloaded Docker digests, and runs the Python script without shell interpolation. Avoid providing private registry credentials to this version unless you fully trust the network path and understand the risk.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker, malicious proxy, or compromised mirror could make the downloaded tar contain untrusted image content, which could later be loaded with docker load.
The script disables HTTPS certificate verification and suppresses TLS warnings while fetching Docker registry authentication, manifests, and layer data.
urllib3.disable_warnings() ... resp = session.get(url, headers=headers, verify=False, timeout=30)
Do not disable TLS verification by default. Enable certificate validation, support an explicit trusted CA for corporate proxies if needed, and verify Docker content digests before producing the tar.
Private registry usernames, passwords, or derived access tokens could be exposed to a man-in-the-middle if the connection is intercepted.
When private registry credentials are provided, the script sends a Basic Authorization header while HTTPS certificate verification is disabled.
headers['Authorization'] = f'Basic {encoded_auth}'
...
resp = session.get(url, headers=headers, verify=False, timeout=30)Avoid entering private registry credentials until TLS verification is fixed. Use least-privilege pull-only tokens, and require verified HTTPS for credential-bearing requests.
If an image name contains shell metacharacters or command substitution syntax, the agent could execute unintended local commands under the user's account.
The instructions tell the agent to run a shell command that interpolates the user-supplied image name into a quoted command string, without specifying validation or safe argument-array execution.
cd "<script_dir>" && printf 'n\nn' | python3 docker_image_puller.py -i "<镜像名>" --socks5 --socks5-proxy "<代理地址>" -a "<架构>" ... 用 exec 执行(background=true, timeout=600)
Validate image references against Docker's allowed syntax and invoke the script with structured arguments rather than a shell string. Ask the user to confirm unusual image names.
Downloads may keep using network and disk resources while the main conversation continues.
The skill intentionally starts a background sub-agent for downloads, with documented timeouts and progress polling.
使用 `sessions_spawn` 启动隔离子任务,不阻塞主会话 ... background=true, timeout=600 ... timeoutSeconds=900
Use this only for intended downloads, monitor progress, and ensure there is a way to cancel long or unexpected jobs.