Trust Assessment
docker-expert received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via Docker Build/Run, Excessive Permissions: Direct Host Docker Daemon Access, Information Disclosure via File System Enumeration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via Docker Build/Run The skill executes `docker build` and `docker run` commands directly on the host system. If the Dockerfile or the container image content being built or run is derived from untrusted user input, a malicious actor could embed arbitrary commands within the Dockerfile's `RUN` instructions or within the container image itself. This allows for arbitrary command execution on the host system (via the Docker daemon), potentially leading to full system compromise. Avoid executing `docker build` or `docker run` on Dockerfiles or image content that originates from untrusted sources. If execution is absolutely necessary, implement strict sandboxing (e.g., running Docker in a highly isolated environment, using rootless Docker, or a dedicated VM/container for builds) and robust content validation for Dockerfiles. Prefer static analysis over dynamic execution for validation. | LLM | SKILL.md:39 | |
| HIGH | Excessive Permissions: Direct Host Docker Daemon Access The skill is designed to execute a wide range of `docker` and `docker-compose` commands directly on the host system's Docker daemon. This grants the skill extensive control over the host's container environment, including the ability to list, inspect, build, run, and stop containers and images. This level of access can be leveraged by a malicious actor (via prompt injection or compromised skill logic) to perform unauthorized actions, access host resources, or disrupt system operations. Minimize the scope of shell commands executed by the skill. Where direct Docker daemon interaction is required, consider using a more granular API or a sandboxed environment (e.g., a dedicated, resource-limited Docker-in-Docker setup) to restrict potential impact. Implement strict input validation for all arguments passed to shell commands. | LLM | SKILL.md:26 | |
| MEDIUM | Information Disclosure via File System Enumeration The skill uses `find` commands to enumerate files within the current working directory and its subdirectories (e.g., `Dockerfile*`, `*compose*.yml`, `.dockerignore`). While not direct data exfiltration of file *contents*, this provides an attacker with valuable information about the file system structure and the presence of specific files, which can be a precursor to more targeted data exfiltration attempts or other attacks. Restrict file system enumeration to only strictly necessary paths. If possible, use internal, sandboxed file system access methods that do not expose arbitrary file paths. Avoid using `find .` without a more specific starting directory if the current directory might contain sensitive information outside the skill's intended scope. | LLM | SKILL.md:29 |
Scan History
Embed Code
[](https://skillshield.io/report/75c1bb60a381b122)
Powered by SkillShield