The Agent Skills Directory

[COMMAND_EXECUTION]: The skill constructs and executes a docker run command by interpolating multiple user-supplied strings into a shell template without any validation or sanitization.
Evidence: Steps 3, 4, and 6 in SKILL.md define the collection of requirements (name, mounts, environment variables) and the subsequent execution of the built command using the Bash tool.
Risk: A malicious user could provide input containing shell metacharacters (e.g., ;, &, |) to execute arbitrary commands on the host system with the privileges of the agent's execution environment.
[PROMPT_INJECTION]: The skill exhibits a high-risk surface for indirect prompt injection by processing untrusted data to define its execution logic.
Ingestion points: User-provided configuration values in Step 3 of SKILL.md.
Boundary markers: None present; there are no instructions to the agent to treat user input as data rather than executable parameters.
Capability inventory: The skill has the capability to execute shell commands (Step 6) and manage containers.
Sanitization: No sanitization or escaping mechanisms are described in the instructions.
[COMMAND_EXECUTION]: The skill defaults to highly insecure container configurations that weaken the host's security boundaries.
Evidence: The decision rules in SKILL.md state to "Default to --privileged" and the command template in Step 4 includes mandatory mounts for /usr/local/sbin.
Risk: Running containers in privileged mode while mounting sensitive host system directories like /usr/local/sbin allows for container escape and host compromise, as the container can overwrite critical system binaries on the host.

npu-docker-launcher