Security Audit

Jamkris/everything-gemini-code:skills/docker-patterns

github.com/Jamkris/everything-gemini-code

AI SkillCommit 6c6f43aaa3d6

CAUTION

Scanned 8 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

Jamkris/everything-gemini-code:skills/docker-patterns received a trust score of 60/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 1 medium, and 1 low severity. Key findings include Hardcoded Weak Credentials in Development Example, Broad Bind Mount in Development Container.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on March 30, 2026 (commit 6c6f43aa). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

91%

Dependency Graph

100%

LLM Behavioral Safety

100%

Behavioral Risk Signals

Filesystem Write

1 finding

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
MEDIUM	Hardcoded Weak Credentials in Development Example The example `docker-compose.yml` for local development hardcodes default and weak credentials (`postgres`/`postgres`) for the PostgreSQL database. While common for local development, this sets a poor security example and could be mistakenly used in less secure environments or copied without understanding the risks. Although the skill later advises against hardcoding secrets, this specific example precedes that advice. Modify the example to use environment variables loaded from a `.env` file (as suggested later in the skill) or Docker secrets, even for development. Alternatively, add an immediate warning next to the example emphasizing that these credentials are for development only and should never be used in production, and ideally should be managed more securely even for local dev.	Static	SKILL.md:29
LOW	Broad Bind Mount in Development Container The `app` service in the development `docker-compose.yml` uses a bind mount `.:/app`, which mounts the entire host project directory into the container. While this is a common pattern for hot-reloading during development, it grants the container broad access to the host's filesystem within the project directory. If the container were compromised, it could potentially access or modify sensitive files on the host machine that are part of the project but not strictly necessary for the application's runtime (e.g., configuration files, `.git` directory, other scripts). The skill does recommend non-root users and capability dropping, which mitigates the impact, but the broad scope remains. Suggest explicitly limiting bind mounts to only the necessary subdirectories (e.g., `./src:/app/src`) if possible, or adding a note about the security implications of mounting the entire project directory, even for development, and how to further restrict container access.	Static	SKILL.md:25

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/75bc72dd44ea515f.svg)](https://skillshield.io/report/75bc72dd44ea515f)