docker-local-dev

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to read and generate .env and usage docs and even shows examples that embed explicit credentials (e.g., "user: root, pass: secret" in health checks and USAGE.md), which requires the LLM to handle and could output secret values verbatim.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill's generated Dockerfiles fetch and install remote executables at build/run time (e.g., RUN curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar and RUN curl -OL https://github.com/drush-ops/drush-launcher/releases/latest/download/drush.phar), which will be downloaded and executed during docker image build when the skill runs docker compose up, so these URLs constitute runtime external dependencies that execute remote code.