Missing User Warnings
Medium
- Confidence
- 79% confidence
- Finding
- The skill includes `docker build --secret id=npmrc,src=$HOME/.npmrc .`, which can cause local credential material from the user's home directory to be injected into a build context and potentially used to access external package services. Although BuildKit secrets are a legitimate Docker feature, the example provides no warning about privacy, credential sensitivity, or the risk of exposing repository or host data during networked builds.
