k8s

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's SKILL.md and references/operations.md explicitly instruct fetching and applying public third‑party manifests and charts (e.g., "kubectl apply -f https://raw.githubusercontent.com/rancher/local-path-provisioner/..." and Helm repos https://charts.nerkho.ch, https://helm.livekit.io), which are untrusted public content that the workflow ingests and can materially change cluster behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime commands that fetch and apply remote manifests (e.g., "kubectl apply -f https://raw.githubusercontent.com/rancher/local-path-provisioner/v0.0.30/deploy/local-path-storage.yaml" and "kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml"), which will execute remote code/manifests during skill runtime and are relied on as part of recovery/creation procedures.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill contains explicit instructions that modify host/system state (editing launchd plists under /Library/LaunchDaemons, editing Colima host configs, adding Docker port mappings, restarting/force-killing services, and running sudo on the Colima VM such as sudo modprobe), which require elevated privileges and can alter or disrupt the machine.