docker

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly pulls and runs public container images (e.g., "docker run ... nginx:latest") and inspects/executes into them via "docker logs" and "docker exec", meaning the agent fetches and interprets arbitrary, user-provided registry content that could influence subsequent actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs managing Docker on the host (start/stop/run/build/remove containers/images, prune, compose up) and even states the Docker socket must be mounted for agent access, which grants the agent full control over containers and can be used to modify or compromise the host system state.