dockerfile-basics

The skill consists of a Markdown file (SKILL.md) describing Dockerfile best practices, a reference Markdown file (references/DOCKERFILE-BEST-PRACTICES.md), and a shell script (scripts/dockerfile-lint.sh).

SKILL.md & references/DOCKERFILE-BEST-PRACTICES.md:

• These files are purely informational and contain no executable code or instructions for the LLM that could lead to prompt injection, data exfiltration, or other malicious activities. They describe Dockerfile syntax and best practices.
• No obfuscation, sensitive file paths, or network requests were found.

scripts/dockerfile-lint.sh:

• This script is designed to lint a Dockerfile using hadolint.
• COMMAND_EXECUTION: The script executes shell commands (command -v hadolint, docker run, hadolint). This is its intended functionality and not inherently malicious.
• EXTERNAL_DOWNLOADS (LOW): If hadolint is not found locally, the script executes docker run --rm -i hadolint/hadolint < "$DOCKERFILE". This command pulls and runs the hadolint/hadolint Docker image from Docker Hub. While this is an external dependency and a download, hadolint is a widely recognized and trusted open-source Dockerfile linter. Therefore, this is flagged as a LOW severity finding due to it being a trusted external source.
• Data Exfiltration: The script reads the specified Dockerfile ($DOCKERFILE) but does not exfiltrate its content or any sensitive system files to external, untrusted destinations.
• Privilege Escalation: The script uses docker run, which requires Docker daemon access. While Docker commands can imply elevated privileges in some environments, the script itself does not attempt to gain new privileges (e.g., via sudo or chmod 777) beyond what is typically configured for Docker users. This is considered standard operation for a Docker-related script.
• No prompt injection, obfuscation, persistence mechanisms, or time-delayed attacks were detected in any of the files.