Trust Assessment
docker-expert received a trust score of 57/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 2 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Direct Shell Command Execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Direct Shell Command Execution The skill explicitly instructs the LLM to execute shell commands using `docker`, `find`, and `docker-compose` for environment detection, project analysis, and validation. This includes powerful commands like `docker build`, `docker run`, and `docker exec`. The phrasing 'Shell commands are fallbacks' and 'Validate thoroughly' indicates these commands are intended for execution. If any part of these commands (e.g., Dockerfile content, image names, commands to execute inside containers, file paths) is derived from untrusted user input, it could lead to arbitrary command injection and execution on the host system or within containers. Avoid direct execution of shell commands. Instead, use safer, sandboxed APIs or internal tools that validate and sanitize all inputs. If shell execution is absolutely necessary, implement strict input validation, allowlisting of commands and arguments, and execute within a highly restricted environment (e.g., a container with minimal privileges). | LLM | SKILL.md:20 | |
| HIGH | Broad System and Docker Daemon Access The skill's operational instructions require extensive permissions, including direct access to the host's shell to execute `docker` and `find` commands, and implicitly, full access to the Docker daemon. This level of access is excessive for an AI agent and significantly increases the attack surface. A compromised agent could leverage these permissions to manipulate the host system, Docker containers, or exfiltrate data. Design skills to operate with the principle of least privilege. If Docker interaction is required, use a dedicated, sandboxed Docker client library with strict access controls, rather than direct shell execution. Limit filesystem access to specific, necessary directories. | LLM | SKILL.md:20 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Filesystem Traversal and System Information Disclosure The skill uses `find .` commands for 'Project structure analysis' and `docker info`, `docker ps`, `docker images`, `docker exec ... ps aux` for environment and runtime validation. While `find` output is limited by `head`, and `docker` commands are informational, the capability to traverse the filesystem and extract system/process information exists. If an attacker can manipulate the `find` arguments or prompt the agent to inspect sensitive directories or container processes, it could lead to the disclosure of confidential file names, paths, or process details. Restrict filesystem access to only explicitly required paths. Sanitize and validate all inputs used in `find` commands. Avoid using `ps aux` or similar commands that expose detailed process information unless absolutely necessary and with strict output filtering. Prefer internal, sandboxed APIs for file listing and system information retrieval. | LLM | SKILL.md:27 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/e86a7f15246677ec)
Powered by SkillShield