k8s-ops
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- CREDENTIALS_UNSAFE (HIGH): The skill contains a pre-configured command to retrieve and base64-decode Kubernetes secrets (
kubectl get secret <name> -o jsonpath='{.data.password}' | base64 -d) in SKILL.md. This allows an agent to easily expose sensitive credentials. - COMMAND_EXECUTION (HIGH): Several operations in SKILL.md use direct interpolation of user-controlled variables (e.g.,
<command>,<pod>,<manifest>) into shell commands. Specifically,kubectl exec <pod> -n <ns> -- <command>andkubectl run debug ... -- <command>provide a direct path for arbitrary command execution within containers. - PROMPT_INJECTION (HIGH): The skill is highly vulnerable to indirect prompt injection because it is designed to process external Kubernetes manifests (
kubectl apply -f <manifest>) and execute commands within existing pods. - Ingestion points:
<manifest>,<pod>,<namespace>, and<command>placeholders in SKILL.md. - Boundary markers: Absent; untrusted data is directly inserted into command strings.
- Capability inventory: Full cluster administrative rights including resource application, deletion, and remote shell execution across all scripts in SKILL.md.
- Sanitization: Absent; no validation or escaping of input parameters is performed.
- DATA_EXFILTRATION (MEDIUM): Operations such as
kubectl port-forward,kubectl logs, andkubectl get -o yamlin SKILL.md can be leveraged to extract sensitive cluster configuration or application data to the user's local environment or an external endpoint.
Recommendations
- AI detected serious security threats
Audit Metadata