kibana-agent-builder
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on Bash execution to run Node.js scripts (
scripts/agent-builder.js) that interact with the Kibana Agent Builder REST API for agent and tool management. - [CREDENTIALS_UNSAFE]: The scripts
scripts/agent-builder.jsandscripts/kibana-client.jsimplement a bypass for TLS certificate verification. If the environment variableKIBANA_INSECUREis set totrue, the scripts setprocess.env.NODE_TLS_REJECT_UNAUTHORIZED = "0". This disables security checks for HTTPS connections, making Kibana API keys, usernames, and passwords vulnerable to interception via man-in-the-middle (MITM) attacks. - [PROMPT_INJECTION]: The skill facilitates the creation and management of agents that ingest untrusted data and follow custom instructions, creating a surface for indirect prompt injection.
- Ingestion points: User-provided system instructions during agent creation/update and external data retrieved from Elasticsearch indices via ES|QL and index search tools.
- Boundary markers: No explicit boundary markers or "ignore embedded instructions" warnings are implemented in the management scripts to isolate instructions from data.
- Capability inventory: The management scripts can create, modify, and delete agents and tools, and can execute tool tests via the Kibana API. The agents created can further execute tools like
platform.core.execute_esqlorplatform.core.search. - Sanitization: The scripts use standard JSON stringification and URI encoding for parameters, but do not provide specific sanitization for content passed into agent instructions or tool queries.
Audit Metadata