podman
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill's primary purpose is executing container management commands. Tools like
podman run,podman exec, andpodman buildallow for the execution of arbitrary binaries and scripts, which can be exploited if an agent processes untrusted Dockerfiles or container images. - [PRIVILEGE_ESCALATION] (HIGH): The skill explicitly includes
sudocommands for system-level modifications, such assudo usermodandsudo sysctl. Providing an agent with instructions to perform host-level privilege escalation is a significant security risk. - [INDIRECT_PROMPT_INJECTION] (HIGH): The skill creates a high-tier attack surface.
- Ingestion points: Data enters the agent's context through
podman logs,podman inspect, and the processing of externalmypod.yamlordeployment.yamlfiles. - Boundary markers: None are present to distinguish between trusted instructions and untrusted container output.
- Capability inventory: The skill provides full access to
podman(documented inSKILL.md), allowing for file system mounting, network access, and arbitrary subprocess execution. - Sanitization: There is no mention of sanitizing or escaping data retrieved from containers or registries before it is processed by the agent.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The documentation recommends
pip install podman-compose. While this is a standard tool, installing third-party packages from PyPI introduces a dependency risk that should be reviewed. - [DATA_EXPOSURE] (MEDIUM): The skill references
~/.config/containers/auth.json, a sensitive file containing registry authentication tokens. While it doesn't exfiltrate the file, highlighting its location to an agent increases the risk of credential exposure.
Recommendations
- AI detected serious security threats
Audit Metadata