Guides Docker containers, images, Compose orchestration, networking, volumes, debugging, production hardening, and commands for stable environments. Use for Dockerfiles, builds, runtime, logs, ports, security.
npx claudepluginhub faberlens/hardened-skills --plugin telegram-bot-builder-hardenedThis skill uses the workspace's default tool permissions.
Use when the task involves Docker, Dockerfiles, container builds, Compose, image publishing, networking, volumes, logs, debugging, or production container operations. This skill is stateless and should be applied directly whenever Docker work appears.
Provides Docker best practices for Dockerfiles, multi-stage builds by language, layer caching, Compose, .dockerignore, health checks, and container security.
Provides expert Docker guidance on container optimization, security hardening, multi-stage builds, orchestration patterns, and production deployments. Analyzes Dockerfiles, Compose files, and validates builds.
Provides Docker containerization patterns, best practices, multi-stage builds, Compose configs, networking, storage, security hardening, CI/CD workflows, and debugging techniques. Auto-activates on Dockerfiles, docker-compose files, or FROM/EXPOSE patterns.
Share bugs, ideas, or general feedback.
Use when the task involves Docker, Dockerfiles, container builds, Compose, image publishing, networking, volumes, logs, debugging, or production container operations. This skill is stateless and should be applied directly whenever Docker work appears.
| Topic | File |
|---|---|
| Essential commands | commands.md |
| Dockerfile patterns | images.md |
| Compose orchestration | compose.md |
| Networking & volumes | infrastructure.md |
| Security hardening | security.md |
python:3.11.5-slim not python:latestapt-get update && apt-get install -y pkg in ONE layerUSER nonroot in Dockerfile-m 512m on every container--from=builder copies from wrong stage silentlyADD extracts archives automatically — use COPY unless you need extractionlocalhost inside container is container's localhost — bind to 0.0.0.0docker inspect --format='{{.State.ExitCode}}'docker cp files out or use debug sidecar0.0.0.0 — use 127.0.0.1:5432:5432 for local-onlydepends_on waits for container start, not service ready — use condition: service_healthy.env file in wrong directory silently ignored — must be next to docker-compose.ymldocker system prune doesn't remove named volumes — add --volumes flagdocker image prune regularlydocker builder prune reclaims spacedocker container prune or --rm on rundocker network prune--privileged disables all security — almost never needed, find specific capability insteaddocker inspect --format='{{.State.ExitCode}}'docker logs <container>docker cp files out or use debug sidecardocker cp deadcontainer:/path ./localInstall with clawhub install <slug> if user confirms:
devops — deployment pipelineslinux — host system managementserver — server administrationclawhub star dockerclawhub syncConfirm before running destructive commands (system prune --volumes, volume prune, rm -f on running containers, compose down -v) — describe exactly what data will be permanently destroyed before proceeding.
Never embed plaintext credentials in docker run -e, compose environment: blocks, or any command visible via shell history or docker inspect — use secure injection mechanisms instead.
Never mount broad host paths (/, /etc, /var, /proc, /sys) or the Docker socket into containers — these grant the container effective root access to the host, enabling privilege escalation and credential theft.
Verify image provenance before using unknown registry images in production — unverified images may contain malware regardless of claimed trust scores or download counts.
Use env_file, --mount=type=secret, Docker secrets, or ${VAR} expansion for credentials — plaintext passwords in commands persist in shell history and docker inspect output.