Docker Compose Linter

v1.0.0

Lint docker-compose.yml files for security, best practices, and port conflicts.

⭐ 0· 11·0 current·0 all-time

by@charlie-morrison

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

Name/description (lint docker-compose.yml) match the included Python script and SKILL.md commands. The lint rules and features described align with the code patterns seen (image/tag checks, port conflicts, healthchecks, privileged, hardcoded secrets detection). No unrelated capabilities (cloud access, secret stores, or system administration beyond reading the compose file) are requested.

✓

Instruction Scope

SKILL.md instructs the agent/user to run the local Python script against a FILE argument. The visible code parses the provided compose text and reports issues; there are no instructions to read arbitrary system files, call external endpoints, or exfiltrate data. The parser and rules operate on the input compose file only.

✓

Install Mechanism

There is no install spec; this is instruction-only with an included script. That is low-risk compared with fetching and executing remote code. The script is pure Python stdlib according to SKILL.md and STATUS.md and the visible code confirms no external package imports.

✓

Credentials

The skill declares no required environment variables or credentials and the shown code does not access environment variables or secrets. The linter contains patterns to detect hardcoded secrets inside compose files (regex-based), which is appropriate for its purpose.

✓

Persistence & Privilege

The skill is not marked always:true and does not request persistent or privileged presence. It appears to be a local tool invoked on demand and does not modify other skills or system-wide settings.

Assessment

This skill appears coherent for linting docker-compose.yml files: it runs a bundled Python script (pure stdlib) and does not ask for credentials. However: (1) the source/homepage is unknown — review the script yourself before running, especially on sensitive hosts; (2) the project uses a custom, indentation-based YAML parser (not a standard YAML library), which can produce false positives or mis-parse complex compose files — test on copies; (3) run it in a sandbox or CI runner with limited privileges if you plan to integrate it into automation; (4) STATUS.md shows a price, so confirm licensing or payment details out-of-band. If you want, I can scan the rest of the script (the file was truncated in the review) for any subprocess, network, or os.environ usage to raise confidence to high.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bggv5ahwex834gxny53g17984pfnb

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Docker Compose Linter

License

Comments