exploiting-containers

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs reading secrets (e.g., service account token) and then embedding them into Authorization headers and kubectl --token calls, which requires handling and potentially outputting secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill content explicitly provides step-by-step instructions for escaping containers, escalating privileges, extracting Kubernetes service account tokens and secrets, creating privileged/backdoor pods and containers, abusing the Docker socket and known kernel/runtime CVEs—actions that constitute deliberate malicious behavior and system compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs fetching and using content from public third-party sources (e.g., wget https://github.com/stealthcopter/deepce/raw/main/deepce.sh, docker pull of images from registries, and curl against public registries/APIs), which are untrusted/user-generated and would be read/used by the agent as part of its workflow, enabling indirect prompt-injection or behavior changes.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). This skill explicitly instructs how to escape containers and perform privileged, state-changing actions on the host (mount host filesystem, chroot, overwrite /etc/shadow, create privileged pods, use docker.sock, load kernel modules), so it directly pushes the agent to compromise the machine state.