ddev
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill heavily relies on
ddev execto run shell commands within Docker containers. Many examples usebash -cto wrap commands likenpm installandcomposer install. This pattern is highly susceptible to command injection if the agent interpolates untrusted filenames or directory paths into these commands without rigorous sanitization. - [REMOTE_CODE_EXECUTION] (HIGH): The file
scripts/resolve-ddev-root.shcontains a path traversal string (../../../scripts/resolve-ddev-root.sh). This is an attempt to execute a script located three levels above the skill's own directory. This violates the principle of skill isolation and could lead to the execution of arbitrary, unverified code from the host system's file tree. - [INDIRECT_PROMPT_INJECTION] (HIGH): The skill is designed to process external project data to determine container paths and execution contexts.
- Ingestion points: Host filesystem paths, project configuration files (
.ddev/config.yaml), and project root detection. - Boundary markers: Absent. The instructions do not define delimiters for untrusted data.
- Capability inventory: Includes arbitrary command execution via
ddev exec, package installation (npm,composer), and database manipulation. - Sanitization: Absent. The skill assumes the local project and its directory structure are entirely trusted.
- [PRIVILEGE_ESCALATION] (MEDIUM): While
ddevcommands typically run within a container, they often operate with high privileges (e.g., as therootorwww-datauser) and have mount access to the host project directory. Exploiting a command injection via this skill could allow an attacker to modify sensitive host files mounted inside the container.
Recommendations
- AI detected serious security threats
Audit Metadata