helm-release-recovery
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides a wide array of shell commands using Helm and Kubectl to manage, inspect, and recover application deployments in a Kubernetes cluster. These operations are essential for the skill's purpose but involve direct interaction with the system environment.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it instructs the agent to ingest and act upon data produced by external tools such as
helm history,helm status, andkubectl get pods. An attacker who can influence the metadata or configuration of a Helm chart could potentially insert malicious instructions into the tool's output to manipulate the agent's behavior. - Ingestion points: Data from
helm history,helm status, andkubectlcommands enters the agent's context in multiple scenarios throughout SKILL.md and REFERENCE.md. - Boundary markers: There are no explicit delimiters or instructions provided to the agent to distinguish between the skill's trusted guidance and the untrusted data returned by the system tools.
- Capability inventory: The skill is granted access to the Bash tool, allowing it to execute any shell commands derived from its instructions or the data it processes.
- Sanitization: The skill does not implement any validation or filtering mechanisms for the external output before it is processed by the AI agent.
Audit Metadata