kyverno
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill establishes an Indirect Prompt Injection surface by allowing the agent to process untrusted Kubernetes resource data with high-privilege side effects. Evidence Chain: * 1. Ingestion points: The skill utilizes 'request.object' and 'request.namespace' as data sources within ClusterPolicies (SKILL.md). * 2. Boundary markers: Absent; there are no instructions or patterns provided to delimit untrusted resource content from policy logic. * 3. Capability inventory: The skill documents 'mutate' (Strategic Merge/JSON Patch) and 'generate' capabilities, which allow for modifications to cluster state and resource creation. * 4. Sanitization: Absent; the templates use direct JMESPath interpolation (e.g., {{request.object.metadata.name}}) without escaping or validation logic.
- [DATA_EXFILTRATION] (LOW): The 'context' section describes 'apiCall' patterns to the Kubernetes API. While standard for Kyverno, this represents a potential data exposure vector if an agent is tricked into querying sensitive endpoints using interpolated paths.
Recommendations
- AI detected serious security threats
Audit Metadata