docker-local-dev

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill auto-reads .env and generates files and documentation (examples show database credentials like "user: root, pass: secret") and therefore would require the agent to include real secret values verbatim in generated outputs, creating an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The Dockerfile templates explicitly download and install remote executables at image build/runtime (thus executing remote code), e.g. https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar and https://github.com/drush-ops/drush-launcher/releases/latest/download/drush.phar, so these are runtime external dependencies that can execute remote code.