kubernetes-security-policies
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill references several external URLs for installing security controllers and audit tools via
kubectl applyorkubectl create. Although these tools are legitimate and reputable within the Kubernetes ecosystem, the organizations (open-policy-agent, kyverno, aquasecurity, bitnami-labs) are not on the explicit trusted whitelist provided for this analysis. - Evidence in
references/admission-control.md:https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yamlandhttps://github.com/kyverno/kyverno/releases/download/v1.11.0/install.yaml. - Evidence in
references/best-practices.md:https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml. - Evidence in
references/secrets-management.md:https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml. - [REMOTE_CODE_EXECUTION] (MEDIUM): Executing
kubectl apply -forkubectl create -fwith a remote URL downloads and applies Kubernetes resource definitions. This is a form of remote execution that can grant cluster-wide privileges or create malicious pods if the source were compromised. - [CREDENTIALS_UNSAFE] (SAFE): Secret management examples in
references/image-security.mdandreferences/secrets-management.mduse generic placeholders such as 'secret' and 'supersecret'. These are acceptable for illustrative purposes and do not represent leaked credentials.
Audit Metadata