holmesgpt-skill
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- CREDENTIALS_UNSAFE (HIGH): The skill instructs the agent to mount highly sensitive host directories containing cloud and cluster credentials into a Docker container.
- Evidence: installation.md recommends mounting ~/.kube/config, ~/.aws, and ~/.config/gcloud.
- COMMAND_EXECUTION (HIGH): The skill explicitly documents an interactive /run command designed to execute custom shell commands.
- Evidence: SKILL.md and troubleshooting.md highlight the /run command for executing arbitrary shell commands and sharing output with the AI.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill facilitates downloading and installing software from sources outside the pre-approved trusted list.
- Evidence: Installations via brew tap robusta-dev/homebrew-holmesgpt, pipx install holmesgpt, and git clone from robusta-dev GitHub repository.
- DATA_EXFILTRATION (LOW): The skill includes capabilities to send aggregated diagnostic data to external integrations such as Slack, Jira, and PagerDuty.
- Evidence: Mention of integrations with Slack (via --slack-token) and PagerDuty in SKILL.md.
- PROMPT_INJECTION (LOW): Indirect prompt injection risk exists as the agent processes live Kubernetes logs, events, and alerts which could be influenced by an external attacker.
- Evidence: The agent ingests untrusted data from kubernetes/logs and AlertManager. Boundary markers or sanitization logic are not explicitly defined in the provided files.
Recommendations
- AI detected serious security threats
Audit Metadata