The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts/agent.py script executes multiple Docker commands such as docker inspect, docker diff, and docker logs using subprocess.run with shell=True. The container_id variable, sourced directly from command-line arguments, is interpolated into these command strings without validation or escaping. This vulnerability allows a maliciously crafted container ID to execute arbitrary commands on the host system.
[EXTERNAL_DOWNLOADS]: The SKILL.md file contains instructions to download and install external forensic tools from remote repositories. Specifically, it fetches the dive tool from GitHub releases and container-diff from Google Storage APIs. These are recognized as well-known and trusted sources.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it processes untrusted data from Docker container logs and inspection metadata.
Ingestion points: Container metadata via docker inspect, filesystem changes via docker diff, and application logs via docker logs in scripts/agent.py.
Boundary markers: None identified. The script processes and prints raw output from Docker commands.
Capability inventory: The script has the capability to execute shell commands via subprocess.run in scripts/agent.py.
Sanitization: No sanitization or escaping is performed on the data ingested from Docker commands before it is processed or used in the CLI output.

analyzing-docker-container-forensics