cluster-ops
Warn
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill facilitates administrative command execution through
kubectl exec,oc rsh, andoc debug. Specifically, theoc debug node -- chroot /hostcommand is used to execute operations with host-level privileges on the cluster's underlying nodes. Additionally, the shell scripts reference an external local library../../../shared/lib/preflight.shthat is not provided for verification. - [DATA_EXFILTRATION]: Provides functionality to retrieve and display cluster administrative credentials, such as
rosa show credentialsandaz aro list-credentials. It also handles sensitiveetcddata by creating snapshots and storing them locally on the agent's host filesystem. - [EXTERNAL_DOWNLOADS]: Pulls well-known diagnostic container images, including
busyboxandnicolaka/netshoot, from public registries for runtime network and DNS troubleshooting. These are neutral references to established technology tools. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from cluster resource metadata and logs.
- Ingestion points: Data enters the context via
kubectl get,oc get,aws logs, andoc logscommands inSKILL.mdandscripts/pre-upgrade-check.sh. - Boundary markers: No explicit delimiters or instructions are used to separate untrusted cluster data from the agent's operational logic.
- Capability inventory: The agent possesses extensive administrative capabilities, including host-level command execution and the ability to modify cluster-wide configurations.
- Sanitization: Log data is processed using
grepwithout sanitization or validation to filter out potential embedded malicious instructions before the data is evaluated by the agent.
Audit Metadata