portainer
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Data Exposure & Exfiltration (MEDIUM): The script portainer.sh reads sensitive configuration data from ~/.clawdbot/.env. While this is necessary for the skill's primary function of retrieving the PORTAINER_API_KEY, accessing credentials from the file system and transmitting them to a remote URL is a high-risk pattern. The severity is mitigated to MEDIUM as it is required for the intended use-case.
- Dynamic Execution (MEDIUM): In portainer.sh, the skill loads environment variables using the pattern export $(grep -E "^PORTAINER_" "$ENV_FILE" | xargs). This shell pattern is vulnerable to command execution (e.g., via subshell expansion) if the configuration file is modified to include malicious shell expressions like $(command).
- Indirect Prompt Injection (LOW): The skill ingests untrusted data from the Portainer API, including container names and system logs, which are then relayed to the agent. This creates a surface for indirect prompt injection if an attacker can control strings in the Docker environment.
- Ingestion points: portainer.sh (commands: logs, containers, stacks, stack-info).
- Boundary markers: None. Data is provided directly to the agent's context without delimiters.
- Capability inventory: High-impact actions available, including starting/stopping containers and redeploying stacks from git repositories.
- Sanitization: Log data is processed through strings to remove binary data, but this does not prevent instructions embedded in the text.
Audit Metadata