kcli-configuration
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Data Exposure (HIGH): The skill directs the agent to interact with and manage highly sensitive files including SSH private keys (~/.kcli/id_rsa,
/.kcli/id_ed25519) and cloud credentials (/.kcli/config.yml). Managing these files via an agent without strict constraints or human-in-the-loop verification poses a high risk of accidental or malicious exposure. - Indirect Prompt Injection (HIGH): 1. Ingestion points: The agent is instructed to write user-provided configuration to config.yml and profiles.yml. 2. Boundary markers: No delimiters or instructions to ignore embedded commands are provided. 3. Capability inventory: The skill documents the use of the 'cmds' field to execute arbitrary shell commands during VM deployment. 4. Sanitization: There are no instructions for the agent to validate or sanitize user-provided configuration data.
- Command Execution (MEDIUM): The skill documentation promotes the use of post-boot command execution (e.g., dnf install, systemctl commands), which provides a native mechanism for remote code execution if the configuration source is untrusted.
Recommendations
- AI detected serious security threats
Audit Metadata