Skills docker-socket-proxy

Manage a remote Docker host via a Tecnativa docker-socket-proxy instance. Unlike raw Docker socket access (which is root-equivalent), docker-socket-proxy acts as a firewall: each API section is individually enabled or disabled via env vars, so the agent only gets access to what you explicitly allow. Requires docker-socket-proxy exposed over TCP. Covers the full Docker REST API surface: container lifecycle (list, start, stop, restart, kill, pause, unpause, rename, exec), inspection (logs, stats, top, changes), images, networks, volumes, Swarm, plugins, system info, and event streaming.

install

source · Clone the upstream repo

git clone https://github.com/openclaw/skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/openclaw/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/bp602/docker-socket-proxy" ~/.claude/skills/clawdbot-skills-docker-socket-proxy && rm -rf "$T"

manifest: skills/bp602/docker-socket-proxy/SKILL.md

source content

Docker Socket Proxy

Manages Docker containers via the

tecnativa/docker-socket-proxy

REST API using

curl

and

jq

. Which modes are available depends on which API sections the proxy instance has enabled.

Trigger conditions

User asks to list, start, stop, restart, kill, pause, or unpause a container or service
User wants container logs, stats, top processes, or filesystem changes
User asks about Docker images, networks, volumes, swarm services, or tasks
A service needs to be restarted after a config change

Usage

bash {baseDir}/scripts/run-docker.sh <mode> [args...]

Run with no arguments for full usage. Proxy URL is resolved from

$DOCKER_PROXY_URL

→

$DOCKER_HOST

(tcp→http) →

http://localhost:2375

Modes

System

Mode	Description
`ping`	Health check
`version`	Docker version
`info`	Host summary (containers, memory, etc.)
`events [--since T] [--until T] [--filters k=v]`	Recent events (1s window)
`system-df`	Disk usage by images/containers/volumes

Containers

Mode	Description
`list`	Running containers
`list-all`	All containers including stopped
`inspect <name>`	Full container details
`top <name> [ps-args]`	Running processes inside container
`logs <name> [tail]`	Container logs (default tail=100)
`stats <name>`	CPU, memory, network, block I/O
`changes <name>`	Filesystem changes since start
`start <name>`	Start container
`stop <name> [timeout]`	Stop container
`restart <name> [timeout]`	Restart container
`kill <name> [signal]`	Kill container (default SIGKILL)
`pause <name>`	Pause container
`unpause <name>`	Unpause container
`rename <name> <new-name>`	Rename container
`exec <name> <cmd> [args...]`	Run command in container
`prune-containers`	Remove stopped containers

Images

Mode	Description
`images`	List images
`image-inspect <name>`	Image details
`image-history <name>`	Layer history
`prune-images`	Remove unused images

Networks

Mode	Description
`networks`	List networks
`network-inspect <name>`	Network details and connected containers
`prune-networks`	Remove unused networks

Volumes

Mode	Description
`volumes`	List volumes
`volume-inspect <name>`	Volume details
`prune-volumes`	Remove unused volumes

Swarm

Mode	Description
`swarm`	Swarm info
`nodes`	List nodes
`node-inspect <name>`	Node details
`services`	List services
`service-inspect <name>`	Service details
`service-logs <name> [tail]`	Service logs
`tasks`	List tasks
`configs`	List configs
`secrets`	List secrets

Plugins

Mode	Description
`plugins`	List plugins

Name matching

Container names can be partial —

myapp

matches

project-myapp-1

. Exact match is tried first, then substring. Errors clearly if 0 or 2+ containers match.

Notes

Modes that require disabled proxy sections (e.g.
```
IMAGES
```
,
```
NETWORKS
```
,
```
VOLUMES
```
,
```
SYSTEM
```
) will return HTTP 403. This is expected — enable the relevant env var on the proxy to unlock them.
```
exec
```
is two-step (create + start) and streams multiplexed output.
```
events
```
uses a 1-second window by default; use
```
--since
```
/
```
--until
```
to adjust.