containers-skill
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill exhibits a significant Indirect Prompt Injection vulnerability surface. It encourages the agent to process untrusted data from container logs and system events, which can be used to influence the agent's behavior given its high-privilege capabilities. 1. Ingestion points: Untrusted data enters the agent context via 'docker logs', 'kubectl logs', and 'kubectl describe' as documented in 'SKILL.md' and 'references/K8S-CHEATSHEET.md'. 2. Boundary markers: No markers or safety instructions are present to differentiate between system logs and agent commands. 3. Capability inventory: The skill allows for 'docker build', 'kubectl apply' (deploying arbitrary infrastructure), and system-wide cleanup via 'scripts/docker-cleanup.sh'. 4. Sanitization: No sanitization or validation logic is provided for the output of the logging tools.
- COMMAND_EXECUTION (MEDIUM): The script 'scripts/docker-cleanup.sh' executes 'docker system prune -af --volumes'. This is a destructive operation that deletes all stopped containers, unused networks, dangling images, and most critically, all volumes. This can lead to irreversible data loss if invoked by the agent without explicit user validation.
- COMMAND_EXECUTION (LOW): The Python script 'scripts/docker_checker.py' uses 'subprocess.getoutput' to execute system commands. While currently restricted to static strings, it represents a pattern of local command execution that should be monitored.
Recommendations
- AI detected serious security threats
Audit Metadata