Skills
skills/googlecloudplatform/gke-mcp/custom-golden-image-discovery/Gen Agent Trust Hub

custom-golden-image-discovery

Pass

Audited by Gen Agent Trust Hub on May 7, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill fetches JSON configuration maps from https://www.gstatic.com. This is an official, well-known Google domain for hosting static assets and is a trusted source in the context of a Google Cloud Platform skill.\n- [COMMAND_EXECUTION]: The agent is instructed to use curl to retrieve mapping data. The command dynamically constructs a URL path using a version string extracted from user input. This represents a safe and expected operational pattern for the skill's discovery purpose.\n- [PROMPT_INJECTION]: The skill processes untrusted user data to construct the parameters for a network request, creating a surface for indirect prompt injection.\n
  • Ingestion points: User-provided setup descriptions or GKE version strings parsed during the 'Discovery Workflow' in SKILL.md.\n
  • Boundary markers: None explicitly defined to delimit user-provided values within the instruction template.\n
  • Capability inventory: Uses curl to perform network operations based on the processed input.\n
  • Sanitization: The workflow includes a specific step to 'Determine Minor Version' (e.g., extracting '1.34' from '1.34.1...'), which serves as an implicit validation and sanitization filter before the value is used in the URL.
Audit Metadata
Risk Level
SAFE
Analyzed
May 7, 2026, 02:33 PM