Back to skill

Security audit

Docker Image Puller

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it can start background Docker image downloads and may expose private registry passwords through unsafe terminal prompting.

Install only if you want an agent to download Docker images and create tar files for you. Use explicit Docker image requests, watch disk and network usage, reset the config path after install, and avoid entering private registry passwords unless the prompt is changed to a hidden input method or you use limited-scope pull-only credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill invokes shell execution, spawns sub-agents, performs network access, and writes files, yet declares no permissions or capability boundaries. This creates an authorization gap: users and the platform cannot clearly understand or constrain the skill's ability to download remote content, execute commands, and persist artifacts, increasing the chance of unintended high-impact actions.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger description is broad enough to activate on generic phrases like 'pull xxx' or 'download image', which can cause the skill to run in contexts where the user did not intend shell execution and network retrieval. Because this skill launches background tasks, accesses the network, and writes tar files, accidental invocation has meaningful operational and security consequences.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script prompts for the repository password using plain-text input(), which causes the password to be echoed on screen and potentially exposed to shoulder-surfing, terminal logging, screen recording, shell session capture, or audit tooling. In this skill's context, users may supply real private-registry credentials, so credential disclosure risk is concrete rather than theoretical.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.