The Agent Skills Directory

[COMMAND_EXECUTION]: Argument injection vulnerability in scripts/agent.py and scripts/process.py.
The scripts use subprocess.run() to execute external binaries such as docker, trivy, and kubectl.
Untrusted data, including container image names and Kubernetes namespace parameters, are passed directly as positional arguments in the command list.
An attacker could provide an image name starting with a hyphen (e.g., -v /:/host:ro alpine) to inject flags into the underlying docker run command, potentially mounting the host filesystem or escalating privileges.
[PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection via untrusted Kubernetes metadata.
Ingestion points: The analyze_kubernetes_images function in scripts/process.py fetches image names from a cluster environment using kubectl get pods -o json.
Boundary markers: No delimiters or safety instructions are present to distinguish between trusted and untrusted image metadata.
Capability inventory: The skill possesses the capability to execute system commands (subprocess.run), inspect files via docker, and run arbitrary containers.
Sanitization: The extracted image strings are not validated or sanitized before being used in further command-line operations.

implementing-container-image-minimal-base-with-distroless