prometheus
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The SKILL.md file instructs the agent to access sensitive credentials located at
~/.kube/<cluster>.yamlto facilitate port-forwarding. Kubeconfig files typically contain administrative certificates and tokens for cluster access. - [COMMAND_EXECUTION] (HIGH): The
urlencodefunction inscripts/promql.shis vulnerable to Python code injection. It interpolates a bash variable directly into apython3 -ccommand using triple quotes ('''$string'''). An attacker providing a malicious PromQL query containing triple single-quotes could break out of the string literal and execute arbitrary Python code on the host. - [COMMAND_EXECUTION] (MEDIUM): Both the documentation and the provided script explicitly use and recommend the
-k(--insecure) flag withcurl. This disables SSL/TLS certificate verification, exposing the agent's communications with the Prometheus API to Man-in-the-Middle (MitM) attacks. - [PROMPT_INJECTION] (LOW): The skill processes data (metrics, alerts) from an external Prometheus API which could be under the control of a malicious actor. This is an indirect prompt injection surface where attacker-controlled labels or annotations could influence agent behavior.
- Ingestion points: Prometheus API response data via
scripts/promql.sh. - Boundary markers: None implemented in script output or documentation.
- Capability inventory: Subprocess execution via
curl,kubectl, andpython3. - Sanitization: API output is processed by
jqbut not sanitized before being returned to the LLM context.
Recommendations
- AI detected serious security threats
Audit Metadata