coolify
Warn
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXPOSURE]: The skill provides explicit instructions and examples for reading highly sensitive system files. Specifically, it suggests using
cat ~/.ssh/id_rsato read the user's SSH private key for transmission to the Coolify platform when creating security keys. - Evidence: Found in
SKILL.mdunder the 'Create Private Key' section:{baseDir}/dist/coolify-cli.cjs security keys create ... --private-key "$(cat ~/.ssh/id_rsa)". - [INDIRECT_PROMPT_INJECTION]: The skill includes functionality to read application logs, creating a surface for indirect prompt injection where malicious content in the logs could influence the agent's behavior.
- Ingestion points: The
applications logscommand inSKILL.mdallows the agent to read output from external, potentially untrusted, applications. - Boundary markers: No specific delimiters or instructions to ignore embedded commands within the logs are provided.
- Capability inventory: The skill possesses extensive administrative capabilities, including creating/deleting applications, databases, and servers, and managing sensitive environment variables and SSH keys.
- Sanitization: There is no evidence of log content sanitization or validation before it is presented to the agent's context.
- [COMMAND_EXECUTION]: The skill enables the execution of a wide variety of shell commands through a local Node.js script (
coolify-cli.cjs). These commands have the power to alter production infrastructure and handle sensitive API tokens and credentials. - [EXTERNAL_DOWNLOADS]: The skill encourages the installation of a CLI tool and its dependencies from a non-vendor-owned repository (
github.com/visiongeist/coolifycli), which represents a supply chain risk as the source is not within the defined trusted or well-known organizations.
Audit Metadata