docker-best-practices
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill contains a confirmed remote code execution pattern where an external script is downloaded and executed directly through the shell.
- Evidence:
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | shwas identified by automated scanners. This pattern bypasses verification and executes arbitrary instructions from a source organization (aquasecurity) not included in the trusted provider list. - [CREDENTIALS_UNSAFE] (HIGH): The Docker configuration file contains multiple hardcoded credentials and secrets.
- Evidence (references/docker-compose-template.yml): Hardcoded values include
POSTGRES_PASSWORD: postgres,SECRET_KEY=dev-secret-key-do-not-use-in-production, andJWT_SECRET_KEY=dev-jwt-secret-do-not-use-in-production. - Risk: Exposure of these secrets in version control or configuration templates can lead to unauthorized access to application databases and user sessions.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill references external container images and scripts from sources that are not explicitly trusted.
- Evidence: References to
postgres:16,redis:7-alpine, and the Trivy installer script onraw.githubusercontent.com.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata