podman
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [Unverifiable Dependencies] (MEDIUM): The skill recommends installing
podman-composeusingpip installwithout version pinning. This poses a supply chain risk as it downloads the latest version of an external package from a public registry at runtime. - [Persistence Mechanisms] (MEDIUM): The skill contains instructions for creating systemd user services (using Quadlet/
.containerfiles) and enabling them withsystemctl --user enable. While this is a primary use case for Podman (running services), it enables the creation of processes that persist across user sessions. Severity is downgraded from HIGH because this is a core intended functionality of the tool. - [Indirect Prompt Injection] (LOW): The skill implements commands that ingest untrusted data from external sources into the agent's context.
- Ingestion points:
podman logsandpodman inspect(SKILL.md). - Boundary markers: Absent; there are no instructions to the agent to ignore instructions embedded in logs or metadata.
- Capability inventory: The skill allows for command execution via
podman exec, container creation viapodman run, and host-level package installation viapip. - Sanitization: Absent; the output of logs and inspections is processed directly.
- [Dynamic Execution] (LOW): The skill uses
podman execandpodman runto launch processes inside containers. While isolated, this allows the execution of arbitrary commands, which is the primary purpose of the skill.
Audit Metadata