The Agent Skills Directory

COMMAND_EXECUTION (MEDIUM): The management scripts scripts/docker-build.sh and scripts/docker-run.sh use the eval statement to execute shell commands constructed from variables derived directly from user-supplied arguments.
Evidence (scripts/docker-build.sh): eval $DOCKER_CMD at line 124. The $DOCKER_CMD string includes variables like IMAGE_NAME, TAG, and PLATFORM which are not sanitized before execution.
Evidence (scripts/docker-run.sh): eval $DOCKER_CMD at line 155. This follows an identical pattern, interpolating multiple variables including CONTAINER_NAME and VOLUMES into an eval call.
Impact: An attacker or a compromised automated system providing a malicious string as a parameter (e.g., a semicolon followed by a system command) could achieve arbitrary code execution on the host environment.
DATA_EXFILTRATION (SAFE): The provided .dockerignore file correctly identifies and excludes sensitive local files such as .env, .pem, and .git directories, preventing accidental exposure within the container images.
EXTERNAL_DOWNLOADS (SAFE): Base images in the Dockerfiles target official and well-maintained repositories (node:18-alpine, nginx:alpine) on Docker Hub.

docker-containerization