Is mkrdiop/moltbot-docker safe?

https://github.com/openclaw/skills/tree/main/skills/mkrdiop/moltbot-docker

91
SAFE

The mkrdiop/moltbot-docker skill is a straightforward Docker management helper implemented as pure markdown. It contains no executable code, no prompt injection attempts, no data exfiltration mechanisms, and no malicious install-time behavior. All suspicious file accesses in the audit logs are attributable to the Oathe audit framework's own pre/post canary checks, not to skill content. The only meaningful risk is inherent to any Docker management skill: granting exec access to docker enables privilege escalation by sufficiently motivated users, which is an accepted risk of this class of tool.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (4)

LOW Docker exec access enables host privilege escalation -28

Any skill granting unrestricted docker exec capability allows a user to mount the host filesystem, access host secrets, or run privileged containers. The skill itself does not instruct this behavior, but a sophisticated user interacting with the agent could craft requests that exploit Docker's power.

INFO Canary files accessed by audit framework (not by skill) -10

Sensitive file paths (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) appear in auditd PATH records. Timestamp analysis confirms these are pre-install baseline scans (1771954573) and post-install verification checks (1771954593) performed by the Oathe audit harness itself, not by any code in the skill.

INFO openclaw-gateway maintains persistent connections to AWS -10

The connection diff shows openclaw-gateway (pid=1089) maintaining two ESTAB connections to 54.211.197.216:443 (AWS) post-install. This is the Oathe execution framework's telemetry/reporting infrastructure, not skill-originated network activity.

INFO Skill grants broad exec tool access without scope limiting -10

The skill instructs the agent to use the exec tool to run any Docker command. While not a prompt injection attack, this broad grant means the skill extends significant capability to the agent. Users of this skill should be aware the agent will execute arbitrary docker commands on their behalf.