implementing-ebpf-security-monitoring

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The agent's install path calls helm repo add with https://helm.cilium.io at runtime (install_tetragon_helm), which fetches and deploys remote Helm chart artifacts that result in executing remote code, so the helm repo URL https://helm.cilium.io is a required runtime dependency that can execute remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). This skill explicitly instructs installing and running system daemons with sudo/CAP_BPF (copying binaries to /usr/local/bin, starting tetragon), loading eBPF programs and CRDs that change kernel/cluster behavior (including in-kernel Sigkill enforcement), all of which modify host/kernel state and require elevated privileges.