docker-compose
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The SKILL.md documentation claims that certain destructive commands and flags are 'BLOCKED', but the execution script scripts/main.cjs does not implement any filtering or verification logic to prevent these commands from being executed. This creates a misleading safety profile by relying on instructions alone rather than code enforcement.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection via the 'logs' tool. (1) Ingestion points: Container logs are piped into the agent's context through scripts/main.cjs. (2) Boundary markers: Log data is not enclosed in delimiters or accompanied by instructions to ignore embedded commands. (3) Capability inventory: High-privilege tools such as 'exec', 'run', and 'down' are available to the agent. (4) Sanitization: Log output is not sanitized or filtered before processing.
- [COMMAND_EXECUTION]: The script scripts/main.cjs serves as a wrapper for the docker compose CLI. Although it uses 'shell: false' to avoid shell-level injection, it permits the agent to issue arbitrary commands to the Docker daemon, providing significant control over host resources without implementation-level oversight of the command arguments.
Audit Metadata