docker
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill grants access to the
Bashtool, enabling arbitrary command execution on the host for Docker and infrastructure management. This level of access allows for total system compromise if the agent is manipulated. - REMOTE_CODE_EXECUTION (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8) through its reliance on
mcp__context7__query-docs. Evidence: 1. Ingestion points: Documentation content retrieved via Context7. 2. Boundary markers: Absent; no instructions provided to delimit or ignore instructions within external data. 3. Capability inventory:Bash,Write, andEdittools are all available. 4. Sanitization: Absent. - EXTERNAL_DOWNLOADS (LOW): References official Microsoft container images. Per [TRUST-SCOPE-RULE], these are considered trusted sources, though the behavior of the Docker daemon remains high-risk.
- DATA_EXFILTRATION (MEDIUM): The skill configures volume mounts for sensitive application data like DataProtection-Keys. While standard for the platform, this configuration creates a high-value target for exfiltration using the available
Bashtool.
Recommendations
- AI detected serious security threats
Audit Metadata