Skills
skills/kcns008/cluster-agent-swarm-skills/cluster-agent-swarm/Gen Agent Trust Hub

cluster-agent-swarm

Fail

Audited by Gen Agent Trust Hub on Mar 11, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Shell injection patterns detected in multiple observability helper scripts, including skills/observability/scripts/log-search.sh, skills/observability/scripts/metric-query.sh, and skills/observability/scripts/slo-report.sh. These scripts utilize the eval command to construct and execute curl requests while interpolating script arguments—such as search patterns, PromQL queries, and SLI definitions—directly into the shell execution string without sanitization.
  • [COMMAND_EXECUTION]: The skill set is designed for high-privilege cluster management and includes operations that execute commands with host-level permissions. For example, skills/cluster-ops/SKILL.md documents node maintenance using oc debug node combined with chroot /host, and skills/security/scripts/cis-benchmark.sh executes Kubernetes Jobs with hostPID: true and direct host filesystem mounts.
  • [EXTERNAL_DOWNLOADS]: Scripts and documentation, such as skills/artifacts/scripts/generate-sbom.sh and skills/qmd.md, provide instructions or references for downloading and installing tools from well-known repositories, including anchore/syft, aquasecurity/trivy, anchore/grype, and tobi/qmd. These tools are fetched from established GitHub organizations or image registries.
  • [PROMPT_INJECTION]: Indirect Prompt Injection surface (Category 8) assessment:
  • Ingestion points: Container logs (log-search.sh), cluster events (alert-triage.sh), and Prometheus metrics (metric-query.sh). Data from these sources enters the agent's context and can be influenced by untrusted external actors.
  • Boundary markers: No specific delimiters or "ignore instructions" warnings are implemented in the scripts when presenting external data to the agent.
  • Capability inventory: High. The agent swarm possesses the ability to create, delete, and modify cluster resources, manage secrets, execute cloud-provider CLI commands, and promote container images.
  • Sanitization: The scripts do not appear to validate or sanitize the content of logs, events, or metrics before they are retrieved and processed.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/anchore/syft/main/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 11, 2026, 05:44 PM