analyzing-docker-container-forensics

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly ingests and analyzes untrusted third‑party container content (e.g., images and files from registries and exported container filesystems) and related artifacts — see SKILL.md steps (docker export/inspect, docker logs, dive/container-diff, trivy scans) and scripts/agent.py functions (inspect_container, export_container, get_container_logs, scan_image_vulnerabilities) — and uses that content to drive analysis and reporting, so arbitrary content could influence decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly downloads and installs/executes remote binaries at runtime—e.g., wget https://github.com/wagoodman/dive/releases/latest/download/dive_linux_amd64.deb and curl -LO https://storage.googleapis.com/container-diff/latest/container-diff-linux-amd64—which fetch and run remote code and are used as required tools for the image-layer analysis steps.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly instructs installing packages with sudo (sudo dpkg -i) and performs host-level Docker operations (commit/save/export, reading/writing /var/lib/docker and other host paths), which require elevated privileges and modify the machine's state, so it should be flagged.