Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
containerlint
v1.0.1Docker & container security anti-pattern analyzer -- detects Dockerfile issues, missing health checks, resource limit gaps, privileged containers, insecure n...
⭐ 0· 39·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the code: scripts perform local pattern-based scanning of Dockerfiles/compose/etc. Required binaries (git, bash, python3, jq) and the lefthook install are reasonable for file discovery, .gitignore checks, JSON parsing, and git-hook integration. Declaring a license key (CONTAINERLINT_LICENSE_KEY) as primary is consistent with the documented tiered feature gating.
Instruction Scope
Runtime instructions call the included dispatcher/analyzer/patterns scripts and perform local file scanning only. The skill reads ~/.openclaw/openclaw.json (if present) or the CONTAINERLINT_LICENSE_KEY env var to obtain a license; it uses local tools (python3/node/jq/openssl) to parse and optionally verify tokens. It also offers commands to install lefthook git hooks that will run pre-commit/pre-push and source the shipped scripts — this modifies repo-level lefthook.yml and will execute the skill code on commits/pushes, which is expected behavior but intrusive if unreviewed.
Install Mechanism
Install spec only asks to install the well-known 'lefthook' formula via brew. No arbitrary downloads or extract operations are present in the provided install metadata or code files. The scripts and config are bundled with the skill.
Credentials
Asking for a license key (CONTAINERLINT_LICENSE_KEY) is proportional to the tiered feature model. The license module optionally uses CLAWHUB_JWT_SECRET for signature verification and will try to read ~/.openclaw/openclaw.json to find a key; those behaviors are documented in the scripts but CLAWHUB_JWT_SECRET is not declared in requires.env. The scripts otherwise use common env vars (HOME, optional CONTAINERLINT_SKILL_DIR) and do not request unrelated credentials.
Persistence & Privilege
always:false and model invocation allowed by default. The notable persistent action is the optional lefthook/git-hook installation which writes or appends a lefthook.yml in a repository and causes the skill scripts to run on pre-commit/pre-push. This is a legitimate feature for a linter but is a persistence/privilege surface the user should review before enabling (it executes code from the skill on git operations).
Assessment
This skill appears to do what it says: local regex-based scanning of Dockerfiles and compose for container anti-patterns, with an optional paid license to unlock additional patterns. Before installing: 1) Review the bundled scripts (already provided) to confirm you accept their behavior. 2) Be aware 'hooks install' will add/append lefthook.yml to your repository and run these scripts on pre-commit/pre-push — back up your existing lefthook.yml if you have one. 3) The license key is read from CONTAINERLINT_LICENSE_KEY or ~/.openclaw/openclaw.json; only provide a key you trust. 4) The license module can optionally verify JWT signatures using CLAWHUB_JWT_SECRET (not required); if you don't set that env var, signature verification is skipped. 5) Installing lefthook via brew (as suggested) is standard but verify you want that dependency. If you want extra caution, run the scanner manually (bash scripts/dispatcher.sh --path .) in a safe repo before enabling hooks or adding a license key.Like a lobster shell, security has layers — review code before you run it.
latestvk9749ryvpzd0j30sv5khjvzaqx84vdzm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🐳 Clawdis
OSmacOS · Linux · Windows
Binsgit, bash, python3, jq
Primary envCONTAINERLINT_LICENSE_KEY
Install
Install lefthook (git hooks manager)
Bins: lefthook
brew install lefthook