The Agent Skills Directory

[COMMAND_EXECUTION]: The skill makes extensive use of the container CLI to perform system-level operations on macOS, including starting/stopping services, managing virtual machines, and resource allocation.
[COMMAND_EXECUTION]: Several operations, such as sudo container system dns create, require administrative privileges. This allows the agent to modify system DNS settings if instructed, which could be abused to redirect traffic or intercept communications.
[COMMAND_EXECUTION]: The skill suggests establishing persistence for the container service by adding container system start as a login item, ensuring the background process runs automatically on every session.
[EXTERNAL_DOWNLOADS]: The skill recommends downloading the core software installer from Apple's official GitHub repository.
[REMOTE_CODE_EXECUTION]: The skill encourages the installation of container-compose via Homebrew from an untrusted third-party GitHub repository (Mcrich23/Container-Compose). Executing code from unverifiable external sources is a significant security risk.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted external data from multiple sources:
Ingestion points: Reads Dockerfile, .env files, and docker-compose.yml configurations at runtime.
Boundary markers: None are defined to separate tool instructions from potentially malicious commands embedded in the processed files.
Capability inventory: The skill has the ability to execute shell commands, perform network operations (pull/push), and modify system settings with sudo.
Sanitization: No input validation or sanitization is specified for the content of the ingested files, allowing an attacker to potentially influence the agent's behavior by embedding instructions in project files.

apple-container