lxc-lxd
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documents extensive use of the
lxcandincusCLI tools for system-level operations, including launching containers, executing commands inside containers, and modifying host-level network and storage configurations. - [EXTERNAL_DOWNLOADS]: Fetches an installation script from the well-known Docker domain (
get.docker.com) for container setup. - [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: Demonstrates an automated installation pattern that pipes a remote script from a well-known source directly to a shell (
curl | sh) for Docker installation. - [PRIVILEGE_ESCALATION]: Documents the use of privileged containers (
security.privileged=true) and group membership modifications (usermod -aG lxd), providing necessary security warnings about the implications of sharing the host kernel namespace. - [INDIRECT_PROMPT_INJECTION]: Identifies an attack surface for indirect prompt injection:
- Ingestion points: User-provided container names and cloud-init YAML configurations in
references/common-patterns.md. - Boundary markers: None present in the command templates to differentiate between instructions and untrusted data.
- Capability inventory: High-privilege operations including
lxc exec,lxc file push, andlxc config setare available across the provided scripts. - Sanitization: No explicit sanitization or validation of input data is described in the reference patterns.
Audit Metadata