gitops-master
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's architecture relies on a user-configurable
ssh_commandvariable (e.g., in.gitops-config.yaml) that is prepended to many diagnostic and promotion commands. This pattern allows for arbitrary command injection if the configuration source is untrusted or maliciously modified. - [REMOTE_CODE_EXECUTION]: In the 'Phase S3: Adding Verification' section, the skill provides templates for Kubernetes
AnalysisTemplateresources that execute multi-line bash scripts insidealpine/k8scontainers. This encourages the execution of arbitrary, potentially unsanitized code within the cluster environment. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection by interpolating data from external sources into shell commands without sanitization or boundary markers.
- Ingestion points: Configuration from
.gitops-config.yamland live output from variouskubectlcommands. - Boundary markers: Absent in shell interpolation logic.
- Capability inventory: Significant capabilities including
kubectlaccess,sshcommand execution, and the ability to create/modify Kubernetes resources likeSecretsandClusterRoles. - Sanitization: No evidence of shell escaping or input validation for variables used in command strings.
- [COMMAND_EXECUTION]: The skill provides templates for creating high-privilege
ClusterRoleandClusterRoleBindingresources. While necessary for its function, this provides a mechanism for privilege escalation within the cluster if used incorrectly. - [COMMAND_EXECUTION]: The skill's operational flow includes reading sensitive resources such as Kubernetes
secretsandconfigmapsas part of its verification and diagnostic processes.
Audit Metadata