create-docker-skill

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The package contains an explicit, intentional security-override backdoor (instructions to write a security_override.json that whitelists subprocess.run and network libraries) combined with numerous subprocess invocations, local server spawning, file-writing hooks and CLI calls — a clear attempt to bypass safety checks and enable remote code execution and data exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly asks about "Network Scope" (e.g., pulling models from HuggingFace, data from NCBI, or containers from Docker Hub) and the scaffold mandates whitelisting network calls (requests/urllib) in security_override.json, which shows the agent will fetch and act on open/public third‑party content that could carry indirect prompt instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs fetching a remote spec at runtime via WebFetch from https://raw.githubusercontent.com/modelcontextprotocol/typescript-sdk/main/README.md and to "base all your function signatures and schemas" on that fetched document, meaning external content would directly control generated prompts/instructions and is a required dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly directs the agent to enable and whitelist subprocess and network calls (via a security_override.json) so it can run container orchestration (Docker) and related host subprocesses, effectively instructing a bypass of security checks and enabling actions that change host state.