Skills
skills/oaustegard/claude-skills/container-layer/Snyk

container-layer

Fail

Audited by Snyk on May 3, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 0.90). This skill deliberately implements mechanisms that execute arbitrary Containerfile RUN commands, fetch and extract remote archives, snapshot arbitrary filesystem paths and upload those snapshots as GitHub Release assets using a supplied GH token — capabilities that can be (and easily abused for) data exfiltration, credential exposure, remote code execution/backdoor installation, and supply‑chain compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill's boot scripts (boot.sh and boot-ccotw.sh) and the Containerfile executor (scripts/containerfile.py) explicitly fetch arbitrary GitHub repos and HTTPS URLs (via codeload.github.com / curl and FETCH/ _fetch_url), then expose fetched SKILL.md and other files into the agent's stdout/context (boot-ccotw.sh: "stdout goes into Claude's context" and _output_skills prints SKILL.md contents), so untrusted, user-generated third‑party content is ingested and can materially change runtime behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 1.00). The boot scripts (boot.sh and boot-ccotw.sh) perform a runtime fetch-and-extract of remote code from https://codeload.github.com/oaustegard/claude-skills/tar.gz/main and then execute that code (python -m scripts.cli), so external content is fetched at runtime and directly results in execution of remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs installing system packages (apt-get), writing to system paths (e.g. /usr/local/lib/python3.12/dist-packages), installing a shim, and requires a GitHub token with repo write access—operations that modify the host system state and would typically require elevated privileges, so it can compromise the machine.

Issues (4)

E006
CRITICAL

Malicious code pattern detected in skill scripts.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W013
MEDIUM

Attempt to modify system services in skill instructions.

Audit Metadata
Risk Level
CRITICAL
Analyzed
May 3, 2026, 01:16 PM
Issues
4