Is docker-essentials safe?

https://clawhub.ai/Arnarsson/docker-essentials

85
SAFE

docker-essentials is a clean, benign Docker command reference containing no executable code, no prompt injection techniques, and no data exfiltration mechanisms. The skill's only meaningful risk is inherent to its purpose: it teaches an LLM agent Docker commands that include volume mounting, root exec, and file copying, which could expose host resources if executed without user confirmation. All monitoring signals are clean with no network activity, no canary access, and no unexpected behavior during installation.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (6)

LOW Docker commands enable broad host access -15

The skill teaches volume mounting patterns like -v $(pwd):/app and -v /host/path:/container/path which, if the agent executes without user confirmation, could expose host filesystem contents to containers. The -u root flag for docker exec is also demonstrated.

LOW Volume mounts and docker cp enable file access -15

Docker volume mounting and the docker cp command demonstrated in the skill can be used to read arbitrary host files if the agent follows these patterns. This is standard Docker functionality, not a malicious design.

INFO Skill requests docker binary dependency -10

The skill metadata declares a requirement for the docker binary via requires.bins. This is a legitimate dependency declaration for a Docker reference skill and does not constitute privilege escalation.

INFO Hardcoded example password in database workflow -5

The database container example uses POSTGRES_PASSWORD=secret which could be copied verbatim by the agent, establishing weak credentials. This is a documentation quality issue, not a security threat.

INFO Agent runtime reads sensitive files during bootstrap -10

Filesystem monitoring shows reads of .env, .aws/credentials, and .openclaw config files. These are attributable to the openclaw agent runtime initialization sequence, not to the skill under test. They occur as part of the standard agent bootstrap before skill evaluation.

INFO Combination risk with other skills -20

While benign alone, this skill provides Docker operational knowledge that a malicious companion skill could leverage — e.g., instructing the agent to mount sensitive paths or pull attacker-controlled images. This is a theoretical multi-skill composition risk.