security-hardening

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes a runtime command that applies remote YAML from https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml via "kubectl apply -f …", which fetches and executes remote workload configuration (i.e., runs code) and is presented as the required way to run the kube-bench scan.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill includes explicit privileged actions that modify system configuration and services (e.g., editing /etc/ssh/sshd_config, running systemctl restart sshd, docker run with host mounts and capabilities, OS-level CIS tools) which require sudo/privileged access and therefore instructs changes to the machine's state.