docker-compose
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill provides the agent with the ability to run arbitrary commands within containers using
docker compose execanddocker compose run --rm web npm test. This allows for direct shell access to the containerized environment. - PROMPT_INJECTION (HIGH): The skill is designed to help the agent generate and manage Docker Compose configurations based on user requirements. This creates an Indirect Prompt Injection surface where an attacker could provide malicious application requirements to trick the agent into creating insecure configurations (e.g., mounting the host root filesystem or exfiltrating data via environment variables).
- Ingestion points: System architecture requirements and service definitions provided to the agent.
- Boundary markers: Absent; the skill does not define delimiters to separate user input from the generated YAML structure.
- Capability inventory:
docker compose up,docker compose build,docker compose exec, anddocker compose rundocumented in SKILL.md. - Sanitization: Absent; no validation or escaping logic is provided for user-supplied environment variables or volume paths.
- CREDENTIALS_UNSAFE (LOW): Examples in the YAML configuration contain hardcoded placeholder credentials such as
POSTGRES_PASSWORD: secret. While these are clearly for illustrative purposes, they set a poor security precedent for generated configurations. - PRIVILEGE_ESCALATION (MEDIUM): The 'Reverse Proxy' example includes mounting
/var/run/docker.sock:/var/run/docker.sock:ro. While mounted as read-only, access to the Docker socket allows a container to query information about all other containers and the host Docker daemon, which is a common step in container escape and privilege escalation chains.
Recommendations
- AI detected serious security threats
Audit Metadata