image-management

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill explicitly instructs fetching and searching images from public registries (e.g., "docker pull", "docker search" which target Docker Hub or arbitrary registries) and then inspects/analyzes those images with commands/tools like "docker inspect", dive, and Trivy, meaning the agent would consume untrusted third‑party image content as part of its workflow.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). Although most instructions are standard Docker image management, the skill tells the user to run containers that bind the host Docker socket (and run system-wide prune/push/pull operations and create host volumes/files), which can modify host state and enable privilege escalation or other compromises.