The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it instructs the agent to read and process external data from Dockerfiles, HCL bake files, and Docker Compose configurations.
Ingestion points: The agent reads build instructions and configurations from files like Dockerfile, docker-bake.hcl, and docker-compose.yml (SKILL.md).
Boundary markers: There are no explicit instructions or delimiters provided to ensure the agent ignores natural language instructions that might be maliciously embedded within comments or metadata of these external files.
Capability inventory: The agent is authorized to execute complex depot CLI commands which include network operations (registry pushes), file system access, and the use of secrets/SSH forwarding.
Sanitization: No sanitization or validation logic is defined to check the contents of the ingested configuration files before they are used in command execution.
[COMMAND_EXECUTION]: The skill documentation provides numerous patterns for shell command execution using the depot CLI. These commands are powerful and allow the agent to manage remote builds, download images locally (--load), push to external registries (--push), and handle sensitive build-time secrets or SSH agents.
[EXTERNAL_DOWNLOADS]: The UPSTREAM.md file contains a maintenance script that uses curl to fetch the latest version of the skill from a GitHub repository. While GitHub is a well-known and trusted service, this pattern identifies an external dependency for skill updates.

depot-container-builds