analyzing-docker-container-forensics

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The workflow includes runtime commands that download and install/execute remote binaries (e.g., wget https://github.com/wagoodman/dive/releases/latest/download/dive_linux_amd64.deb and curl -LO https://storage.googleapis.com/container-diff/latest/container-diff-linux-amd64), which fetch and run external code relied upon for image analysis.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly instructs installing packages with sudo (sudo dpkg -i) and performs host-level Docker operations (commit/save/export, reading/writing /var/lib/docker and other host paths), which require elevated privileges and modify the machine's state, so it should be flagged.