ClawHub

project-containerize

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate Docker containerization helper, but it can copy real configuration secrets and run project-controlled Docker builds without strong review controls.

Install only if you want an agent to generate and potentially run Docker deployment artifacts for projects you trust. Before running generated Docker or Compose commands, inspect the Dockerfiles and scripts, remove real secrets from deploy/.env and deploy/config, add those paths to .gitignore where appropriate, and consider changing generated containers to run as a non-root user.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill instructs copying original configuration files, including likely secret-bearing files such as .env and application configs, into deploy/config. This can duplicate secrets into generated artifacts, increase their exposure surface, and cause credentials to be committed, shared, or mounted into containers unintentionally.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill goes beyond generating Docker artifacts and instructs execution of docker compose up --build, which builds and runs project-defined containers. Running repository-derived builds can execute arbitrary Dockerfile instructions, build hooks, package scripts, and downloaded dependencies, turning a documentation/generation skill into an execution path for untrusted code.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script recursively discovers and copies real project configuration files into deploy/config, including .env-style files that commonly contain secrets, tokens, and service credentials. In a containerization skill, this is more dangerous because generated deployment artifacts are likely to be committed, bundled, or shared, turning secret exposure into a practical leakage path rather than a theoretical one.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The header claims the script prepares configuration templates, but the implementation actually copies real configuration files from the project. This mismatch can mislead users into running the tool under the assumption that it is safe for sanitization/template generation, increasing the chance that sensitive material is unintentionally propagated into deployment directories.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Copying existing configuration files into deployment outputs without any warning or filtering is unsafe because those files commonly contain real credentials, endpoints, and internal settings. In the context of a containerization skill, generated deploy directories are especially likely to be archived, shared with operators, or committed to source control, amplifying exposure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs creation of a populated deploy/.env with sensitive fields such as database credentials and uses insecure placeholder patterns for secret storage. Plaintext secret files are frequently leaked through source control, logs, backups, support bundles, and misconfigured file permissions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The copy operation occurs without any explicit user warning, review step, or filtering for sensitive data, even though the discovery patterns include .env files. In this skill context, automatic deployment preparation makes silent secret duplication especially risky because users may assume the generated deploy directory is safe to publish or use in image build contexts.

Ssd 3

Medium
Confidence
97% confidence
Finding
Directing the agent to copy original config files, including .env, can surface sensitive values into newly created deployment artifacts and documentation paths. This is dangerous because it transforms existing secrets into additional copies under a predictable deploy/ directory that may be packaged or published.

Ssd 3

Medium
Confidence
99% confidence
Finding
Generating a real deploy/.env with populated sensitive fields institutionalizes plaintext secret storage as part of the skill output. Because the file is intended for direct deployment use, it is more dangerous than a template: it encourages long-lived credential reuse and easy accidental disclosure.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal