dockerfile-skill

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). This skill explicitly auto-generates config files "including secrets" (e.g., .env.docker.local / docker-compose envs) and would produce literal credential values in output files/commands, so the LLM must render secrets verbatim in its outputs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's build phase invokes docker builds that include RUN lines which fetch-and-execute remote installers (e.g., "curl ... https://sh.rustup.rs | sh" and "curl -fsSL https://bun.sh/install | bash"), so these external URLs would be fetched and executed during runtime and are required for native toolchain installation.