securing-kubernetes-on-cloud
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references the download and use of security assessment tools from trusted, well-known organizations.
- Fetches the kube-bench configuration and job manifest from Aqua Security's official GitHub repository.
- Configures the Falco helm repository from the official Falcosecurity project for runtime threat detection.
- [COMMAND_EXECUTION]: The workflow and audit script involve executing standard cloud and Kubernetes management tools.
- Includes instructions for using
eksctl,gcloud,az,kubectl, andhelmto implement security controls like workload identity and network policies. - The
scripts/agent.pyscript is designed to be executed manually to perform a read-only security audit of cluster resources via the official Kubernetes Python client. - [PROMPT_INJECTION]: An indirect prompt injection surface is present as the audit tool processes data from the Kubernetes cluster environment.
- Ingestion points: The
scripts/agent.pyscript reads metadata, labels, and specifications from Namespaces, Pods, and RBAC bindings via the Kubernetes API (file:scripts/agent.py). - Boundary markers: There are no explicit boundary markers used in the script to delineate between data and instructions within the ingested cluster metadata.
- Capability inventory: The agent script has the capability to write its findings to a local JSON file (
k8s_security_audit.json). - Sanitization: The script uses standard JSON serialization for the report, which provides inherent protection against data structure manipulation in the output.
- [SAFE]: No malicious patterns or unauthorized behaviors were detected. The skill focuses on legitimate security hardening tasks and utilizes official libraries and trusted external resources.
Audit Metadata