by 安全扫描
OpenClaw
安全
high confidenceThe skill's requested actions and inputs are consistent with its stated purpose (generating production docker-compose files); it is instruction-only and does not request unrelated credentials or installs, but it will read project files (including .env) and generate configuration that you should review before use.
评估建议
This skill appears coherent for creating production docker-compose.yml files. Before using it: (1) be aware it will read your project files and .env files — those often contain secrets, so avoid exposing them to third parties and don’t commit them to source control; (2) review the generated docker-compose.yml before running it in production (check healthchecks, ports, network settings, and that no insecure defaults like weak passwords remain); (3) consider replacing env_file usage with a secrets...详细分析 ▾
✓ 用途与能力
Name/description match the instructions: the SKILL.md details detecting the app stack, ports, databases, and producing a production-ready docker-compose.yml. No unrelated binaries, credentials, or install steps are requested.
ℹ 指令范围
The instructions require scanning the project directory and reading files such as Dockerfile, package manifests, and .env/.env.local/.env.example to detect stack, ports, and environment variables. That file access is necessary for the stated task, but it does mean the skill will read files that often contain secrets (e.g., .env). The SKILL.md does not instruct the agent to transmit data to external endpoints or read unrelated system paths.
✓ 安装机制
Instruction-only skill with no install spec and no code files — lowest-risk install surface. Nothing is downloaded or written by an installer step described in the registry metadata.
ℹ 凭证需求
The registry metadata doesn't request environment variables or credentials. The runtime instructions reference and prefer using .env (env_file) and Docker Compose variable interpolation (e.g., ${POSTGRES_PASSWORD:?...}). Reading .env files is proportional to generating a compose file, but those files can contain secrets, so review them carefully before sharing or committing.
✓ 持久化与权限
always is false and model invocation is permitted by default. The skill does not request persistent/system-level privileges or modify other skills' configs according to the provided metadata and SKILL.md.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/8
Initial release — generate production-ready docker-compose files for any project. - Detects stack (Node.js, Python, Go, Java, Ruby, PHP, etc.), application ports, and databases. - Automatically includes health checks, network segmentation (frontend/backend/database), resource limits, and log rotation. - Adds restart policies, secrets management with env files, and persistent backup volumes for databases. - Ensures service isolation by binding app ports to localhost and following best practices for Compose in production. - Stack-agnostic: works for any Dockerized app when the user requests a production-ready Compose file.
● 无害
安装命令
点击复制官方npx clawhub@latest install compose-prod
镜像加速npx clawhub@latest install compose-prod --registry https://cn.longxiaskill.com