depot-container-builds

[Skill Scanner] Credential file access detected This is documentation for a remote container build skill using Depot. The commands, flags, and network endpoints are consistent with the stated purpose. There are no direct signs of malicious code or supply-chain download-execute patterns in this documentation. The legitimate security concerns are credential and secret exposure risks inherent to remote build systems: use of --secret, --ssh, shared layer cache, and passing tokens or doing docker login are all sensitive operations that must be handled carefully. Overall the content appears benign but operators should follow best practices for secrets (avoid putting secrets in build context, prefer build-time secret mechanisms, restrict project access) and verify they trust the depot binaries/endpoints before use. LLM verification: This skill is documentation for using a remote build service (Depot). It is functionally coherent and matches its stated purpose. The main security issue is operational: the documented commands intentionally forward secrets, SSH agents, and tokens to remote builders and use a third-party registry domain (registry.depot.dev). That exposure is expected for a remote build workflow but constitutes a moderate supply-chain risk — users should avoid sending long-lived private keys, unencrypted secrets,