Is akhil-naidu/dokku safe?

https://github.com/openclaw/skills/tree/main/skills/akhil-naidu/dokku

94
SAFE

The akhil-naidu/dokku skill is a well-structured, pure-markdown Dokku PaaS command reference with no executable code, no prompt injection, no credential-targeting instructions, and no active exfiltration mechanisms. Installation behavior was clean — a single expected GitHub HTTPS connection and all files placed in the correct directory. The canary integrity system confirms all honeypot files intact; the observed read-only canary accesses in audit logs are attributable to the Oathe test harness setup and teardown phases. The sole meaningful risk is behavioral: the skill documents several irreversible data-destruction operations (docker system prune, dokku-nuke, force app destroy) that could be triggered by an agent responding to ambiguous 'cleanup' requests.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 97/100 · 10%
Canary Integrity 93/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (7)

LOW Documents catastrophically destructive commands without explicit confirmation guardrails -20

cleanup/commands.md documents several irreversible data-destruction operations: 'sudo docker system prune -a --volumes -f' (destroys all containers, images, volumes, and build cache), 'sudo docker volume prune -f', and references the dokku-nuke community plugin ('stops all running containers and deletes all containers and images'). apps/commands.md documents 'dokku --force apps:destroy' which skips the app-name confirmation prompt. A user or attacker issuing an ambiguous cleanup request ('clean up old containers', 'free up disk space on the server') could cause an agent with this skill to invoke these commands catastrophically.

LOW Documents wget-then-bash remote script execution pattern -5

install/commands.md presents the official Dokku bootstrap installation as 'wget -NP . https://dokku.com/install/v0.37.5/bootstrap.sh' followed by 'sudo DOKKU_TAG=v0.37.5 bash bootstrap.sh'. While this is the canonical Dokku installation method with a pinned version tag, the wget-then-bash pattern is a recognized security antipattern. The skill does not auto-execute this; it is documentation for user-initiated installation. Risk is low but warrants noting.

INFO Normalizes plugin installation from arbitrary GitHub URLs -5

Multiple section files document 'sudo dokku plugin:install ' as a standard operation. The specific URLs shown reference official Dokku-org repositories (dokku-postgres, dokku-letsencrypt, dokku-nuke). However, this pattern, once established in the agent's context, could be exploited by a follow-up prompt substituting a malicious repository URL. Risk is low given the sudo requirement and user-initiated nature.

INFO Canary credential files read (read-only) at two monitoring timestamps -7

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud application_default_credentials.json) were opened and read at both 1771652525.819 (5.5 seconds before git clone started) and 1771652544.688 (after installation completed). All accesses are CLOSE_NOWRITE (read-only). Timing analysis places the first set squarely within Oathe's pre-install canary setup phase; the second set aligns with post-install integrity verification. No network exfiltration event correlated to either access window. Canary integrity monitor confirms all files intact.

INFO Canary credential files accessed read-only; no exfiltration correlated -5

Audit logs record read-only opens of all six canary credential files at two timestamps. The pre-install access (1771652525) predates the git clone by 5.5 seconds and is consistent with the test harness planting honeypots. The post-install access (1771652544) follows installation completion and is consistent with the harness verifying canary integrity. No outbound network traffic to non-GitHub endpoints was observed during or after either access window.

INFO Skill instructs agent to read 14 local section files on demand -3

SKILL.md contains the instruction 'Read the relevant file when performing that category of task' with a table linking to 14 markdown files within the skill directory. This is the standard multi-file skill pattern and all targets are within the installed skill path. No injection risk detected; included for transparency.

INFO Expected outbound HTTPS connection to github.com during installation -3

The install process made a standard git clone HTTPS connection to 140.82.121.3:443 (github.com IP) to retrieve the openclaw/skills monorepo with sparse checkout of the akhil-naidu/dokku subpath. This is the expected, authorized network activity for installing a GitHub-hosted skill.