Is leventsoft/portainer-skill-openclaw safe?

https://github.com/openclaw/skills/tree/main/skills/leventsoft/portainer-skill-openclaw

78
CAUTION

The Portainer skill is a legitimate Docker infrastructure management tool with no prompt injection attempts and a clean install profile. However, it exposes significant operational risk through execute_docker_command(), which grants the agent effectively unlimited Docker API access via Portainer's proxy — well beyond what 'stack management' implies — and through universal TLS certificate verification bypass (verify=False) that silently exposes API tokens to man-in-the-middle interception. The skill itself contains no malicious code and passed canary integrity checks, but its expansive capability surface makes it a high-value target for abuse via prompt injection or malicious compose payloads.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (7)

HIGH execute_docker_command() provides unrestricted Docker API proxy access -30

The function accepts arbitrary path, method, and payload arguments and forwards them directly to the Portainer Docker proxy endpoint at /endpoints/{id}/docker{path}. This means any Docker API call is possible: creating privileged containers, mounting host paths, pulling and running arbitrary images, reading container logs, inspecting secrets stored in Docker. The function is documented as 'Advanced' but the risk is not bounded.

HIGH TLS certificate verification disabled on all API requests -25

Every call in portainer_manager.py uses verify=False, which disables certificate chain and hostname verification for the Portainer API. Combined with urllib3.disable_warnings() suppressing InsecureRequestWarning, this silently exposes the PORTAINER_API_TOKEN and all API responses to a man-in-the-middle attacker on any network path between the agent host and the Portainer instance.

MEDIUM inspect_stack() exfiltrates stack file content including embedded secrets into LLM context -15

The function fetches the raw compose file content from Portainer and includes it in the returned data structure. Docker Compose files commonly contain plaintext secrets, API keys, database passwords, and other credentials in environment variable fields. These are returned to the LLM and may be logged, included in conversation history, or transmitted to the model provider.

MEDIUM package.json incorrectly lists Python packages as npm dependencies -10

The package.json declares requests@^2.31.0 and urllib3@^2.0.0 as npm dependencies. These are Python library names, not npm packages. While requests does not exist on npm in a meaningful form, this misconfiguration could cause unexpected behavior if npm install is run (potentially installing unrelated packages with those names), and indicates the author has not properly separated tooling concerns.

MEDIUM deploy_stack() accepts arbitrary compose content without validation -20

The function takes a raw compose YAML string and deploys it directly to Portainer. No validation of the compose content is performed. A malicious prompt or prompt injection could supply a compose file that deploys a privileged container, mounts the host filesystem, or establishes a reverse shell, all under the guise of a legitimate stack deployment request.

LOW Pre-existing external connection to 185.125.188.58:443 (Canonical) during audit window -5

A TCP connection to 185.125.188.58:443 (Ubuntu/Canonical infrastructure) was present before install and closed after. This is consistent with Ubuntu's motd-news or update check services running on the audit host and is not attributable to the skill. Noted for completeness.

INFO Canary files accessed by monitoring framework, not by skill 0

Inotify and auditd records show opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials. Timestamps establish these accesses occurred before the git clone (1771925637 vs clone at 1771925642) for the first batch, and after install at 1771925654 for the second batch — consistent with Oathe's own baseline setup and final integrity verification. The portainer_manager.py Python script was never executed during the audit. Canary file integrity confirmed intact.