Trust Assessment
Docker Manager received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 3 critical, 0 high, 0 medium, and 0 low severity. Key findings include Untrusted content attempts to manipulate LLM instructions and behavior, Skill designed for arbitrary shell command execution, Broad access to `docker` binary grants high system privileges.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Untrusted content attempts to manipulate LLM instructions and behavior The untrusted `SKILL.md` contains multiple direct instructions intended for the host LLM. It attempts to define the LLM's persona ("You are a Docker expert"), instruct it on tool usage ("Use the `exec` tool to run Docker commands"), and impose behavioral constraints and diagnostic steps ("Always ask for confirmation before running `docker rm`...", "summarize it for the user", "run `docker logs` and `docker inspect` to diagnose"). These are clear attempts to inject instructions into the host LLM's prompt, overriding its intended behavior and potentially leading to unintended actions or security bypasses. Remove all instructional content intended for the LLM from the untrusted `SKILL.md` file. The LLM's persona, tool usage, and behavioral guidelines should be defined by the skill's trusted manifest or system prompt, not by user-provided or untrusted documentation. | LLM | SKILL.md:3 | |
| CRITICAL | Skill designed for arbitrary shell command execution The skill's manifest explicitly grants access to the `docker` binary, and the untrusted `SKILL.md` instructs the LLM to "Use the `exec` tool to run Docker commands". This design allows for arbitrary `docker` commands to be executed, which can lead to command injection. A malicious user could craft inputs that cause the LLM to execute dangerous `docker` commands (e.g., `docker run -v /:/host --rm -it alpine chroot /host sh` for host compromise, or `docker exec` into sensitive containers). Re-evaluate the necessity of granting direct `docker` binary access. If essential, implement strict input validation and sanitization for all arguments passed to `docker` commands. Consider using a more constrained Docker API client instead of direct shell execution, or a sandboxed environment with limited `docker` capabilities. Ensure the LLM is not directly constructing shell commands from user input without validation. | LLM | SKILL.md:3 | |
| CRITICAL | Broad access to `docker` binary grants high system privileges The skill's manifest (`bins: ["docker"]`) grants the AI agent direct access to the `docker` command-line interface. The `docker` command, especially when run with typical daemon privileges, provides extensive control over the host system, including the ability to run containers with root privileges, mount host filesystems, and potentially escape container isolation. This level of access is excessive for an AI agent skill and poses a severe security risk, as it can lead to full system compromise if exploited via command injection. Restrict the `docker` binary's capabilities or remove it entirely if not strictly necessary. If `docker` interaction is required, consider using a more granular API or a highly sandboxed environment where the `docker` daemon itself runs with minimal privileges and strict resource limits. Implement a wrapper or proxy that only allows a predefined, safe subset of `docker` commands with validated arguments. | LLM | Manifest |
Scan History
Embed Code
[](https://skillshield.io/report/b1f691ea3ce868ea)
Powered by SkillShield