ssl-certificate-management
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The automated renewal CronJob configuration installs utility packages (kubectl, curl, jq, openssl) from the official Alpine Linux package repositories at runtime.
- [COMMAND_EXECUTION]: The skill includes shell scripts and Kubernetes Job templates that execute system commands using kubectl, aws-cli, openssl, and mail to monitor certificate status, fetch metadata, and trigger renewals.
- [CREDENTIALS_UNSAFE]: While the skill includes fields for AWS Access Keys and Secret Keys in its examples, it correctly uses well-known documentation placeholders (e.g., 'AKIAIOSFODNN7EXAMPLE') rather than hardcoded secrets.
- [INDIRECT_PROMPT_INJECTION]: The skill's monitoring and renewal scripts ingest external data from Kubernetes secrets and AWS API responses.
- Ingestion points: scripts/certificate-monitor.sh and references/automated-certificate-renewal.md (via kubectl and aws-cli).
- Boundary markers: Not present; the scripts treat the command output as trusted data.
- Capability inventory: The scripts have the capability to send emails (mail command) and modify Kubernetes resources (kubectl annotate).
- Sanitization: Shell scripts employ standard variable quoting to prevent command injection during processing.
Audit Metadata