Skills
skills/julianobarbosa/claude-code-skills/az-aks-agent/Gen Agent Trust Hub

az-aks-agent

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • EXTERNAL_DOWNLOADS (LOW): The documentation suggests downloading Kubernetes manifests from the Azure/prometheus-collector GitHub repository.
  • Evidence: File references/control-plane-metrics.md contains a wget command targeting raw.githubusercontent.com/Azure/prometheus-collector/... followed by kubectl apply.
  • Risk: While this is a 'download then execute' pattern, the source organization (Azure) is on the trusted list, downgrading the severity per [TRUST-SCOPE-RULE].
  • COMMAND_EXECUTION (MEDIUM): Reference commands include powerful diagnostic tools that allow execution on the host nodes.
  • Evidence: File references/kubelet-logs.md contains az aks command invoke --command "chroot /host && journalctl -u kubelet -o cat".
  • Risk: The use of chroot /host allows the agent to break out of the containerized environment and execute commands with root privileges directly on the underlying VM nodes. This is a significant privilege escalation vector if the agent is manipulated into running arbitrary commands.
  • CREDENTIALS_UNSAFE (LOW): The skill guides users on where to store and how to use sensitive API keys for LLM providers.
  • Evidence: File references/cli-commands.md and references/troubleshooting.md reference ~/.azure/aksAgent.config as a storage location for keys like azure_api_key and openai_api_key.
  • Risk: While standard for CLI configurations, storing secrets in plain-text files is a practice that can lead to credential exposure if the host environment is compromised. Example configurations correctly use placeholders.
  • INDIRECT_PROMPT_INJECTION (LOW): The skill possesses a wide attack surface for indirect injection as it ingests untrusted cluster data and has destructive capabilities.
  • Evidence Chain:
  • Ingestion points: Processes logs and events via AKSAudit and KubeEvents (documented in references/monitoring.md).
  • Boundary markers: None specified in the documentation or scripts.
  • Capability inventory: Includes kubectl delete for webhooks/jobs and node-level command execution via az aks command invoke.
  • Sanitization: No sanitization logic is present in the provided reference scripts.
  • Risk: Malicious content embedded in container logs or Kubernetes events could influence the agent's logic to perform unauthorized deletions or node-level operations.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 06:05 PM