docker
Pass
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides installation scripts (
scripts/install.sh,scripts/install.ps1) and setup documentation (resources/install-and-setup.md) that download the official Docker installation script fromhttps://get.docker.comand execute it with elevated privileges (sudo sh). This is a standard and well-known installation method for the Docker engine. - [COMMAND_EXECUTION]: Diagnostic scripts (
scripts/probe-docker.ps1,scripts/doctor-docker.ps1) and various documentation files execute core Docker subcommands (e.g.,docker info,docker context,docker inspect,docker compose) to analyze the host environment and manage containers. These operations are restricted to the intended purpose of the skill and use static command patterns. - [CREDENTIALS_UNSAFE]: The template file
templates/templates/compose-web-db/compose.yamland the reference fileresources/compose.mdcontain hardcoded placeholder credentials (e.g.,POSTGRES_PASSWORD: postgres,DATABASE_URL: postgres://postgres:postgres@db:5432/appdb). These are provided as default examples for local development starter packs and do not represent a leak of production secrets. - [PROMPT_INJECTION]: The skill interacts with external data sources that could be controlled by an attacker, specifically container logs and metadata, creating a surface for indirect prompt injection.
- Ingestion points: Data enters the agent's context through tools like
docker logs,docker inspect, anddocker stats, which are referenced inresources/troubleshooting.mdand used in theprobe-docker.ps1diagnostic script. - Boundary markers: The skill relies on standard markdown code blocks for command output but does not implement specific delimiters or 'ignore' instructions to wrap container-generated text.
- Capability inventory: The agent has access to highly capable commands such as
docker run --privileged,docker rm -f, anddocker system prune, as documented inSKILL.mdandresources/containers.md. - Sanitization: There is no evidence of sanitization or filtering performed on container logs or metadata before the agent processes them.
Audit Metadata