Layer - Layer Authoring

Name: overthink-plugins/layer
Author: overthinkos

View on GitHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

This skill allows arbitrary command execution, privilege escalation

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

Layer - Layer Authoring: A **layer** is a directory under `layers/<name>/` that installs a single concern. Layers are the building blocks of container images in overthink. Each layer can declare packages, dependencies, environment variables, ports, services, volumes, and command aliases.

Actually does

This skill describes how to author 'layers' using `ov` commands like `ov new layer` and `ov list layers`. It details the structure and fields of `layer.yml` and other manifest files (`root.yml`, `user.yml`, `pixi.toml`, `package.json`, `Cargo.toml`) to declare packages (RPM, Deb, Pacman, AUR, Python, Node.js, Rust), environment variables, ports, services, volumes, security settings, secrets, and inter-container communication. It outlines how these files are processed to build container images.

Threat Analysis

AI Agent Traps ↗Scanned 4/15/2026

Content InjectionPerceptionclean

Semantic ManipulationReasoningclean

Cognitive StateMemory & Learningclean

Behavioural ControlAction6 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Nameoverthinkos/overthink-plugins/layer

Registrygithub

Versionb3b6b5b56ae3

PURLpkg:github/overthinkos/overthink-plugins@b3b6b5b56ae3?skill=layer

Source

Repository ↗SKILL.md ↗

SHA-256bb7af3ac2c66...

SHA-18c17f3e9375e...

MD55be1d810c085...

TLSHb3a218526e64...

ssdeep384:OaE7jMCv...

Size22,138 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

https://github.com/overthinkos/overthink-plugins/tree/main/skills/layer

Claude CodeDocs

/plugin marketplace add overthinkos/overthink-plugins

/plugin install layer@overthinkos/overthink-plugins

Skills.shDocs

npx skills add https://github.com/overthinkos/overthink-plugins --skill layer

Assessments (1)

AI Agent Traps ↗

Shell command execution function detectedcriticalcommand execution

Shell command execution function detected

100% confidenceline 75

system (

Arbitrary Command Execution (Root & User)criticalcommand execution

The skill allows defining custom logic and scripts (`root.yml`, `user.yml`, `build.sh`, `service` field, `aliases` field, `hooks` field) that execute arbitrary commands. `root.yml` and the `service` field can execute as `root`, while `user.yml`, `build.sh`, `aliases`, and `hooks` execute as `user`, providing extensive control over the build and runtime environment.

100% confidence

root.yml | root | Custom root install logic (Taskfile).
user.yml | user | Custom user install logic (Taskfile).
build.sh | user | Optional post-install script
service | multiline string | Supervisord [program:<name>] fragment
aliases | []AliasYAML | Host command aliases
hooks | HooksConfig | Lifecycle hooks

Container/VM Escape and Privilege Escalationcriticalprivilege escalation

The `security` field allows setting `privileged: true`, adding capabilities (`cap_add`), mounting devices, and defining arbitrary host/tmpfs mounts. Additionally, the `libvirt` field allows injecting raw Libvirt XML snippets. These mechanisms can be used to escape the container/VM sandbox or escalate privileges on the host system.

100% confidence

security:
  privileged: false
  cap_add:
    - SYS_PTRACE
  devices:
    - /dev/dri
  mounts:
    - /dev/input:/dev/input:rw
libvirt | []string | Raw libvirt XML snippets injected into VM domain XML

Cross-Container Environment/Service Manipulationhighlateral movement

The `env_provides` and `mcp_provides` fields allow injecting environment variables and MCP server configurations into *other* containers. This capability can be leveraged to influence the behavior of dependent services, potentially leading to lateral movement, data exfiltration, or command execution in other parts of the multi-container system.

100% confidence

env_provides:
  OLLAMA_HOST: "http://{{.ContainerName}}:11434"
mcp_provides:
  - name: jupyter-colab
    url: "http://{{.ContainerName}}:8888/mcp"

Credential Theft via Secret Manipulationhighcredential theft

The `secrets` field allows defining the `target` mount path and `env` fallback variable for Podman secrets. An attacker could manipulate these paths or environment variable names to redirect or expose sensitive credentials within the container, especially when combined with arbitrary command execution capabilities.

100% confidence

secrets:
  - name: api-key
    target: /run/secrets/api_key
    env: API_KEY

Passwordless Sudo in AUR Build Stagehighprivilege escalation

The AUR package build process explicitly configures 'Passwordless sudo is configured for the build user in the AUR build stage.' This significantly lowers the bar for privilege escalation during the build process if an attacker can inject malicious AUR packages or build scripts.

100% confidenceline 285

Passwordless sudo is configured for the build user in the AUR build stage.

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/overthinkos/overthink-plugins/layer.svg)](https://mondoo.com/ai-agent-security/skills/github/overthinkos/overthink-plugins/layer)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/overthinkos/overthink-plugins/layer"><img src="https://mondoo.com/ai-agent-security/api/badge/github/overthinkos/overthink-plugins/layer.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/overthinkos/overthink-plugins/layer.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow