docker-workflows
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill has a significant indirect prompt injection surface. It is designed to ingest and process potentially untrusted project metadata (such as pyproject.toml and uv.lock) to generate and execute Docker commands. An attacker could craft malicious project files to influence the generated Dockerfile or Compose configuration to execute arbitrary code or exfiltrate data via volume mounts. * Ingestion points: Local project directory and dependency manifest files. * Boundary markers: Absent. * Capability inventory: Host-level execution via docker build, docker run, and docker-compose. * Sanitization: Absent.
- [COMMAND_EXECUTION] (HIGH): The skill provides instructions for the destructive command 'docker system prune -a', which removes all unused images, containers, and networks. In an automated agent context, this poses a risk of significant data loss or service disruption.
- [EXTERNAL_DOWNLOADS] (LOW): The skill pulls external binaries and images from ghcr.io/astral-sh/uv during the container build process. While a standard registry, it represents a remote code dependency.
- [CREDENTIALS_UNSAFE] (LOW): The Docker Compose example includes hardcoded placeholder credentials (user:password) which match detection patterns for unsafe credential exposure.
Recommendations
- AI detected serious security threats
Audit Metadata