k8s

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs fetching and applying remote, public content (for example: kubectl apply -f https://raw.githubusercontent.com/... to install the local-path-provisioner and use external Helm repos like nerkho and livekit), so the agent would ingest and act on untrusted third‑party web content that can materially change cluster actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill contains explicit runtime commands that fetch and apply remote manifests (executing remote code), for example "kubectl apply -f https://raw.githubusercontent.com/rancher/local-path-provisioner/v0.0.30/deploy/local-path-storage.yaml", which is fetched and executed during cluster creation and is a required dependency for that procedure.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs host-level, privileged operations (e.g., running "sudo modprobe br_netfilter" on the Colima VM, editing host/launchd/docker hostconfig files, and restarting/uncordoning nodes), which require sudo or modify system files and thus can change/compromise the machine state.