devops-infra
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Privilege Escalation (MEDIUM): The skill requests broad access to system-level binaries via wildcards.
- Evidence: 'allowed-tools' metadata in 'SKILL.md' includes 'Bash(docker:)' and 'Bash(systemctl:)'.
- Risk: This grants the agent the ability to execute any command through these utilities (e.g., 'systemctl stop', 'docker rm'), exceeding the specific maintenance tasks described in the documentation.
- Indirect Prompt Injection (LOW): The skill processes user-provided infrastructure requirements, creating an attack surface for malicious instructions embedded in requests.
- Ingestion points: User parameters for scaling, backup, and network settings in 'SKILL.md'.
- Boundary markers: No delimiters or 'ignore embedded instructions' warnings are present to isolate user input.
- Capability inventory: Full access to Docker, systemctl, and file manipulation tools (Read, Write, Edit, Grep).
- Sanitization: No input validation or sanitization logic is defined for the interpolated commands.
- External Downloads (LOW): The skill references external container images from public registries.
- Evidence: 'docker run --rm ... alpine' command in the 'Volume Backup' section of 'SKILL.md'.
- Context: Pulling standard images like 'alpine' is common for DevOps, but remains a dependency on an external source.
Audit Metadata