exa-incident-runbook
Fail
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
kubectlto perform sensitive operations such as updating environment variables (kubectl set env), creating secrets (kubectl create secret), and restarting deployments (kubectl rollout restart). It also executes a local shell script./scripts/exa-debug-bundle.shto collect debug data. - [DATA_EXFILTRATION]: The skill provides instructions to extract and decode sensitive API keys from Kubernetes secrets using
kubectl get secret exa-secrets -o jsonpath='{.data.api-key}' | base64 -d. While intended for triage verification, this exposes raw credentials to the agent's context. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from application logs via
kubectl logs. If an attacker can influence log output, they might inject instructions that the agent could follow given its high-privilege capabilities. - Ingestion points: Reads application logs from the production cluster (
SKILL.md). - Boundary markers: No delimiters or instructions are present to distinguish log data from agent instructions.
- Capability inventory: The skill has
kubectlandcurlcapabilities, allowing it to modify infrastructure based on its interpretation of the data. - Sanitization: There is no evidence of log sanitization or validation before the data is processed by the agent.
- [EXTERNAL_DOWNLOADS]: Fetches service status information from the official Exa status page (
https://status.exa.com) and internal health endpoints.
Recommendations
- AI detected serious security threats
Audit Metadata