安全扫描
OpenClaw
安全
high confidenceThe skill is an instruction-only Docker Compose best-practices guide and its requirements and instructions are consistent with that purpose.
评估建议
This is an instruction-only guide for using Docker Compose; it does not install software or request credentials. Before using it, ensure the agent or environment that will execute these instructions actually has Docker/docker-compose installed and that you trust that agent to run container commands (those commands can create, modify, or delete containers and volumes — e.g., 'docker compose down -v' will delete volumes). Note the minor correctness point that 'deploy' resource limits are generally...详细分析 ▾
✓ 用途与能力
Name/description match the content: the SKILL.md gives Docker Compose advice and the declared binary requirement (docker-compose or docker) is appropriate and proportional.
ℹ 指令范围
Instructions stay within Docker Compose usage: healthchecks, depends_on, volumes, .dockerignore, overrides, profiles and env precedence. Minor note: the example using the deploy.resources stanza may be misleading because 'deploy' settings are ignored by plain docker-compose (they apply to swarm/stack contexts), but this is a correctness/usability issue rather than a security concern.
✓ 安装机制
No install spec and no code files — lowest-risk instruction-only skill. Nothing is downloaded or written to disk by the skill itself.
✓ 凭证需求
Skill declares no environment variables or credentials. The SKILL.md references .env and Docker secrets as part of normal Compose workflows but does not request or attempt to access unrelated secrets or external credentials.
✓ 持久化与权限
Skill is not always-enabled and does not request persistent privileges or modify other skills. It simply provides instructions that assume the user/agent can run Docker commands.
安全有层次,运行前请审查代码。
运行时依赖
🖥️ OSLinux · macOS · Windows
版本
latestv1.0.02026/2/10
● 无害
安装命令 点击复制
官方npx clawhub@latest install docker-compose
镜像加速npx clawhub@latest install docker-compose --registry https://cn.clawhub-mirror.com
技能文档
depends_on Ready Condition
depends_on:alone only waits for container start—service likely not ready yet- Add healthcheck + condition for actual readiness:
depends_on:
db:
condition: service_healthy
- Without healthcheck defined on target service,
service_healthyfails
Healthcheck start_period
healthcheck:
test: ["CMD", "pg_isready"]
start_period: 30s
start_period: initial grace period—health failures don't count during this time- Slow-starting services (databases, Java apps) need adequate start_period
- Without it, container marked unhealthy before it finishes initializing
Volume Destruction
docker compose downpreserves volumesdocker compose down -vDELETES ALL VOLUMES—data loss-voften added by habit from tutorials—catastrophic in production- Named volumes survive
down; anonymous volumes deleted ondown
Resource Limits in Development
deploy:
resources:
limits:
memory: 512M
- Set limits during development—catches memory issues early
- Unlimited container can consume all host memory—kills other processes
- Copy limits to production config—don't discover limits in prod
.dockerignore
- Without it:
node_modules,.git, secrets copied into image - Mirrors
.gitignoresyntax—create at same level as Dockerfile - Large build context = slow builds, large images, potential security issues
- At minimum:
.git,node_modules,.env,*.log, build artifacts
Override File Pattern
docker-compose.yml: base config that works everywheredocker-compose.override.yml: auto-loaded, development-specific (mounts, ports)- Production:
docker compose -f docker-compose.yml -f docker-compose.prod.yml up - Keep secrets and environment-specific config in override files, not base
Profiles for Optional Services
services:
mailhog:
profiles: [dev]
- Services with profiles don't start by default—cleaner
docker compose up - Enable with
--profile dev - Use for: test databases, debug tools, mock services, admin interfaces
Environment Variable Precedence
- Shell environment (highest)
.envfile in compose directoryenv_file:directiveenvironment:in compose file (lowest for that var).envmust be exactly.env—.env.localnot auto-loaded- Debug with
docker compose config—shows resolved values
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制