Skills
skills/oimiragieo/agent-studio/docker-compose/Gen Agent Trust Hub

docker-compose

Warn

Audited by Gen Agent Trust Hub on Apr 22, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The scripts/main.cjs file uses child_process.spawn to execute the local docker binary. It passes command-line arguments directly from the agent to the docker compose command, granting the agent full control over the local Docker daemon.
  • [REMOTE_CODE_EXECUTION]: The skill provides tools like exec and run which are explicitly designed to execute arbitrary code and commands inside running or new containers. This is a high-capability feature that can be used to manipulate containerized environments.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the logs tool.
  • Ingestion points: Container output and application logs are read into the agent's context.
  • Boundary markers: None are implemented to distinguish container output from system instructions.
  • Capability inventory: The agent has the ability to execute further Docker commands based on the logs it reads.
  • Sanitization: No sanitization or filtering of log content is performed before processing.
  • [EXTERNAL_DOWNLOADS]: The documentation references installation resources from official Docker domains (docs.docker.com), which are recognized as trusted sources for development tooling.
  • [COMMAND_EXECUTION]: There is a discrepancy between the SKILL.md 'Safety Features' section and the actual implementation. The documentation claims that destructive commands like rm -rf or root-level execution are 'BLOCKED' or require confirmation, but the scripts/main.cjs file contains no logic to validate or intercept these commands before execution.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 22, 2026, 10:30 AM