TL;DR: Docker’s Ask Gordon beta could be hijacked through malicious Docker Hub metadata, causing automatic tool calls and exfiltration of chat history and build data, with the exploit succeeding even where domain allowlisting was present, according to Pillar Security. The incident shows that trusted-content prompt injection turns repository metadata into executable context, so consent and provenance boundaries matter more than network filters.
NHIMG editorial — based on content published by Pillar Security: Ask Gordon, Meet the Attacker, prompt injection in Docker’s built-in AI assistant
By the numbers:
- The issue was resolved in Docker Desktop 4.50.0 on November 6th, 2025.
Questions worth separating out
Q: How should security teams stop indirect prompt injection in AI assistants?
A: Security teams should prevent external text from becoming executable context.
Q: Why do AI assistants create a new trust problem for identity governance?
A: AI assistants create a new trust problem because they can read data, choose tools, and act on external text in ways traditional review processes do not expect.
Q: What breaks when an AI assistant can access private data and untrusted content at the same time?
A: When an assistant can access private data and ingest untrusted content, a small injected instruction can become a data-exfiltration path.
Practitioner guidance
- Separate display content from executable context Classify repository metadata, README text, and issue content as untrusted by default, and prevent those fields from directly driving tool calls or outbound requests.
- Gate all egress-triggering actions with explicit consent Require a human approval step before any assistant can fetch remote URLs, send data externally, or invoke tools that can expose build logs, chat history, or other sensitive context.
- Test assistants against indirect prompt injection Red-team developer assistants with poisoned metadata, hidden instructions, and malicious follow-on links to verify that tool use stops at the intended trust boundary.
What's in the full article
Pillar Security's full research covers the operational detail this post intentionally leaves for the source:
- The exact malicious metadata pattern used to trigger Ask Gordon's follow-on fetch and tool calls.
- The recorded sequence of internal tool invocations, including list_builds and build_logs, that supported the exfiltration chain.
- The mitigation behaviour after Docker Desktop 4.50.0 and how human-in-the-loop confirmation changed execution flow.
- The sanitized network capture that shows how the assistant packaged chat and tool output for outbound transfer.
👉 Read Pillar Security's analysis of Ask Gordon prompt injection in Docker Desktop →
Docker Ask Gordon prompt injection: what IAM teams need to know?
Explore further
Trusted metadata is now an execution surface, not just a content surface. Docker Hub repository descriptions were enough to steer Ask Gordon because the assistant treated marketplace content as a source of instructions. That is a governance failure, not a UI quirk. Security teams must assume that any externally sourced text adjacent to an agent can become operational input once tool execution is allowed.
A few things that frame the scale:
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who should approve sensitive tool use in AI-assisted developer workflows?
A: Sensitive tool use should be approved before execution by the operator or workflow owner, not after the assistant has already acted. For developer assistants, any request that can expose logs, build data, or send information externally should pass through a deliberate confirmation step.
👉 Read our full editorial: Docker's Ask Gordon shows how prompt injection hijacks AI tools