Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

hexbee/fix-orbstack-docker-pull

Name: fix-orbstack-docker-pull
Author: hexbee

skills/fix-orbstack-docker-pull/SKILL.md

npx skillsauth add hexbee/hello-skills fix-orbstack-docker-pull

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Fix OrbStack Docker Pull

Core Rule

Treat Docker Hub EOF on OrbStack as a network path problem until proven otherwise. Do not assume the image is missing, private, or platform-incompatible before testing a small public image and the daemon's proxy path.

Expected responses that are not failures:

curl -I https://auth.docker.io returning HTTP/2 404 is normal for the auth service root.
curl -I https://registry-1.docker.io returning HTTP/2 404 is normal for the registry root.
curl -I https://registry-1.docker.io/v2/ returning 401 with www-authenticate: Bearer ... is the expected unauthenticated registry response.

Suspicious signals:

docker pull hello-world:latest fails with Head "https://registry-1.docker.io/v2/.../manifests/latest": EOF.
docker buildx imagetools inspect or docker manifest inspect fails while explicit curl -x http://127.0.0.1:<port> succeeds.
registry-1.docker.io resolves to 198.18.0.x, which usually indicates Clash-style fake-ip/TUN routing.
macOS has system HTTP/HTTPS proxy enabled, but OrbStack Docker daemon is still using an unstable automatic proxy path.

Quick Diagnose

Run the bundled read-only diagnostic script first when local shell access is available:

/Users/jiamingfeng/.codex/skills/fix-orbstack-docker-pull/scripts/diagnose-orbstack-docker-pull.sh

If the skill has been installed elsewhere, resolve the script relative to this SKILL.md.

If running manually, collect these facts:

docker version
docker info
orb version
orb config get network_proxy
sed -n '1,120p' ~/.orbstack/config/docker.json
networksetup -getwebproxy Wi-Fi
networksetup -getsecurewebproxy Wi-Fi
dscacheutil -q host -a name registry-1.docker.io
dig registry-1.docker.io
netstat -rn -f inet | grep -E '198\\.18|default|utun'
curl -I --max-time 15 https://registry-1.docker.io/v2/
curl -x http://127.0.0.1:7890 -I --max-time 15 https://registry-1.docker.io/v2/
docker pull hello-world:latest

Adapt the proxy port from networksetup; do not hard-code 7890 unless the system proxy reports it.

Fix Workflow

Confirm the issue is general:

docker pull hello-world:latest

If hello-world also fails with Docker Hub EOF, focus on daemon networking rather than the requested image.

Find the active macOS proxy:

networksetup -getwebproxy Wi-Fi
networksetup -getsecurewebproxy Wi-Fi
ps aux | grep -Ei 'clash|cyberclash|mihomo|sing-box|surge|stash|v2ray|xray|shadow|proxy' | grep -v grep

If Server: 127.0.0.1 and Port: 7890 appear, the proxy URL is http://127.0.0.1:7890. Use the actual service name if the Mac is not using Wi-Fi.

Make OrbStack use the proxy explicitly:

orb config set network_proxy http://127.0.0.1:<port>
orb restart docker

Verify:

orb config get network_proxy
docker pull hello-world:latest

If pulls still intermittently EOF or large layers hang, reduce Docker daemon download concurrency:

{
  "max-concurrent-downloads": 1
}

Write that JSON to ~/.orbstack/config/docker.json, preserving any existing daemon settings. Then restart:

orb restart docker
docker pull <image>

Continue interrupted pulls instead of cleaning state:

docker pull <image>
docker system df
orb logs docker | tail -80

Docker often retains partially downloaded blobs after an interrupted pull. Avoid docker system prune unless the user explicitly wants to discard partial progress.

Interpretation Guide

registry-1.docker.io resolving to 198.18.0.x is a fake-ip/TUN clue, not the real Docker Hub endpoint.
curl -x http://127.0.0.1:<port> -I https://registry-1.docker.io/v2/ succeeding while direct curl or Docker fails means the explicit proxy path is healthier than auto/TUN routing.
docker manifest inspect may fail from the macOS-side client path even when docker pull succeeds through the daemon path; prioritize docker pull hello-world and the actual target pull for validation.
A long pause during a large layer can still be normal. Check docker system df growth or daemon logs before killing the pull.
If the proxy port changes after reboot, update OrbStack with the new port and restart Docker.

Persistence

These settings persist across Mac reboots:

orb config get network_proxy
sed -n '1,120p' ~/.orbstack/config/docker.json

Before future pulls, the user usually only needs OrbStack and the proxy app running. If the proxy app changes port, rerun:

orb config set network_proxy http://127.0.0.1:<new-port>
orb restart docker

hexbee/fix-orbstack-docker-pull

skills/fix-orbstack-docker-pull/SKILL.md

Diagnose and fix Docker image pull failures on macOS with OrbStack, especially Docker Hub EOF/TLS/manifest errors caused by system proxies, Clash/CyberClash/Mihomo/Surge-style TUN mode, fake-ip DNS such as 198.18.0.x, or unstable registry access. Use when `docker pull` or `docker manifest inspect` fails with EOF, SSL_ERROR_SYSCALL, failed to fetch anonymous token, failed to resolve reference, failed to copy, or registry-1.docker.io/auth.docker.io connectivity confusion.

testing

Updated Apr 24, 2026

$ install --global

skillsauth

npx skillsauth add hexbee/hello-skills fix-orbstack-docker-pull

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 24, 2026, 8:06 AM43.3s3 files scanned

SKILL.md

name:: fix-orbstack-docker-pull
description:: Diagnose and fix Docker image pull failures on macOS with OrbStack, especially Docker Hub EOF/TLS/manifest errors caused by system proxies, Clash/CyberClash/Mihomo/Surge-style TUN mode, fake-ip DNS such as 198.18.0.x, or unstable registry access. Use when `docker pull` or `docker manifest inspect` fails with EOF, SSL_ERROR_SYSCALL, failed to fetch anonymous token, failed to resolve reference, failed to copy, or registry-1.docker.io/auth.docker.io connectivity confusion.

Fix OrbStack Docker Pull

Core Rule

Expected responses that are not failures:

curl -I https://auth.docker.io returning HTTP/2 404 is normal for the auth service root.
curl -I https://registry-1.docker.io returning HTTP/2 404 is normal for the registry root.
curl -I https://registry-1.docker.io/v2/ returning 401 with www-authenticate: Bearer ... is the expected unauthenticated registry response.

Suspicious signals:

docker pull hello-world:latest fails with Head "https://registry-1.docker.io/v2/.../manifests/latest": EOF.
docker buildx imagetools inspect or docker manifest inspect fails while explicit curl -x http://127.0.0.1:<port> succeeds.
registry-1.docker.io resolves to 198.18.0.x, which usually indicates Clash-style fake-ip/TUN routing.
macOS has system HTTP/HTTPS proxy enabled, but OrbStack Docker daemon is still using an unstable automatic proxy path.

Quick Diagnose

Run the bundled read-only diagnostic script first when local shell access is available:

/Users/jiamingfeng/.codex/skills/fix-orbstack-docker-pull/scripts/diagnose-orbstack-docker-pull.sh

If the skill has been installed elsewhere, resolve the script relative to this SKILL.md.

If running manually, collect these facts:

docker version
docker info
orb version
orb config get network_proxy
sed -n '1,120p' ~/.orbstack/config/docker.json
networksetup -getwebproxy Wi-Fi
networksetup -getsecurewebproxy Wi-Fi
dscacheutil -q host -a name registry-1.docker.io
dig registry-1.docker.io
netstat -rn -f inet | grep -E '198\\.18|default|utun'
curl -I --max-time 15 https://registry-1.docker.io/v2/
curl -x http://127.0.0.1:7890 -I --max-time 15 https://registry-1.docker.io/v2/
docker pull hello-world:latest

Adapt the proxy port from networksetup; do not hard-code 7890 unless the system proxy reports it.

Fix Workflow

Confirm the issue is general:

docker pull hello-world:latest

If hello-world also fails with Docker Hub EOF, focus on daemon networking rather than the requested image.

Find the active macOS proxy:

networksetup -getwebproxy Wi-Fi
networksetup -getsecurewebproxy Wi-Fi
ps aux | grep -Ei 'clash|cyberclash|mihomo|sing-box|surge|stash|v2ray|xray|shadow|proxy' | grep -v grep

If Server: 127.0.0.1 and Port: 7890 appear, the proxy URL is http://127.0.0.1:7890. Use the actual service name if the Mac is not using Wi-Fi.

Make OrbStack use the proxy explicitly:

orb config set network_proxy http://127.0.0.1:<port>
orb restart docker

Verify:

orb config get network_proxy
docker pull hello-world:latest

If pulls still intermittently EOF or large layers hang, reduce Docker daemon download concurrency:

{
  "max-concurrent-downloads": 1
}

Write that JSON to ~/.orbstack/config/docker.json, preserving any existing daemon settings. Then restart:

orb restart docker
docker pull <image>

Continue interrupted pulls instead of cleaning state:

docker pull <image>
docker system df
orb logs docker | tail -80

Docker often retains partially downloaded blobs after an interrupted pull. Avoid docker system prune unless the user explicitly wants to discard partial progress.

Interpretation Guide

registry-1.docker.io resolving to 198.18.0.x is a fake-ip/TUN clue, not the real Docker Hub endpoint.
curl -x http://127.0.0.1:<port> -I https://registry-1.docker.io/v2/ succeeding while direct curl or Docker fails means the explicit proxy path is healthier than auto/TUN routing.
docker manifest inspect may fail from the macOS-side client path even when docker pull succeeds through the daemon path; prioritize docker pull hello-world and the actual target pull for validation.
A long pause during a large layer can still be normal. Check docker system df growth or daemon logs before killing the pull.
If the proxy port changes after reboot, update OrbStack with the new port and restart Docker.

Persistence

These settings persist across Mac reboots:

orb config get network_proxy
sed -n '1,120p' ~/.orbstack/config/docker.json

Before future pulls, the user usually only needs OrbStack and the proxy app running. If the proxy app changes port, rerun:

orb config set network_proxy http://127.0.0.1:<new-port>
orb restart docker

Related Skills

hexbee/resume-builder

development

VerifiedTrustedCommunity

Generate and revise job resumes from raw notes, existing resumes, career histories, or profile snippets. Use when Codex needs to create, redesign, tighten, or review a resume/CV, especially for Chinese or English A4 resumes, PDF/HTML output, first-screen hiring signal, skill ordering, pagination balance, header/contact layout, or reframing an engineering background for AI-focused roles.

SKILL.mdUpdated Apr 22, 2026

hexbee/resume-builder

hexbee/url-to-markdown

development

VerifiedTrustedCommunity

Convert a public webpage URL into Markdown and save it as a reusable `.md` file with the bundled script. Prefer `https://r.jina.ai/<url>` first, and only fallback to `https://markdown.new/` if `r.jina.ai` is unavailable. Use this whenever the user wants to turn a public webpage, article, documentation page, blog post, release note, or reference URL into Markdown for reading, archiving, summarizing, extraction, RAG prep, or downstream agent reuse, even if they do not explicitly mention markdown or saving a file.

SKILL.mdUpdated Apr 16, 2026

hexbee/url-to-markdown

hexbee/saas-agent-toolkit

tools

VerifiedTrustedCommunity

Design agent-usable SaaS tool systems using six reusable tool shapes (Search, Summarize, Draft, Update, Notify, Approve) plus connectors and policy guardrails. Use when turning SaaS features into reliable agent actions with clear contracts, permissions, audit trails, and approval gates.

SKILL.mdUpdated Apr 16, 2026

hexbee/saas-agent-toolkit

hexbee/retrospective-master

development

VerifiedTrustedCommunity

Professional retrospective coach based on the GRAI model (Goal-Result-Analysis-Insight) to guide users through structured retrospectives. Transform experiences into lessons, and lessons into capabilities. Use when: (1) Systematic review needed after project/event completion, (2) Learning from failures, (3) Summarizing and replicating success experiences, (4) Creating improvement action plans.

SKILL.mdUpdated Apr 16, 2026

hexbee/retrospective-master

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/hexbee/hello-skills.git

# Copy into Claude Code skills folder (global)
cp -r hello-skills/skills/fix-orbstack-docker-pull ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

hexbee/hello-skills

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT