docker

Pass

Audited by Gen Agent Trust Hub on Jun 20, 2026

Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill provides installation scripts (scripts/install.sh, scripts/install.ps1) and setup documentation (resources/install-and-setup.md) that download the official Docker installation script from https://get.docker.com and execute it with elevated privileges (sudo sh). This is a standard and well-known installation method for the Docker engine.
  • [COMMAND_EXECUTION]: Diagnostic scripts (scripts/probe-docker.ps1, scripts/doctor-docker.ps1) and various documentation files execute core Docker subcommands (e.g., docker info, docker context, docker inspect, docker compose) to analyze the host environment and manage containers. These operations are restricted to the intended purpose of the skill and use static command patterns.
  • [CREDENTIALS_UNSAFE]: The template file templates/templates/compose-web-db/compose.yaml and the reference file resources/compose.md contain hardcoded placeholder credentials (e.g., POSTGRES_PASSWORD: postgres, DATABASE_URL: postgres://postgres:postgres@db:5432/appdb). These are provided as default examples for local development starter packs and do not represent a leak of production secrets.
  • [PROMPT_INJECTION]: The skill interacts with external data sources that could be controlled by an attacker, specifically container logs and metadata, creating a surface for indirect prompt injection.
  • Ingestion points: Data enters the agent's context through tools like docker logs, docker inspect, and docker stats, which are referenced in resources/troubleshooting.md and used in the probe-docker.ps1 diagnostic script.
  • Boundary markers: The skill relies on standard markdown code blocks for command output but does not implement specific delimiters or 'ignore' instructions to wrap container-generated text.
  • Capability inventory: The agent has access to highly capable commands such as docker run --privileged, docker rm -f, and docker system prune, as documented in SKILL.md and resources/containers.md.
  • Sanitization: There is no evidence of sanitization or filtering performed on container logs or metadata before the agent processes them.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 20, 2026, 10:50 AM
Security Audit — agent-trust-hub — docker