k8s-manifest-generator
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The 'Memory Protocol' requires the agent to read and write to specific absolute file paths on the host filesystem (e.g., 'C:\dev\projects\agent-studio.claude\context\memory\learnings.md'). Accessing these files can expose internal agent state, learned patterns, or previous session decisions to the current context or external visibility.
- [COMMAND_EXECUTION]: The skill's instructions explicitly mandate the use of the 'Bash' tool to execute 'cat' commands on the host system to initialize and update the memory protocol files. This creates a mandatory execution path for system-level commands interacting with the filesystem.
- [PROMPT_INJECTION]: The 'Memory Protocol' section uses directive, mandatory language ('MANDATORY', 'ASSUME INTERRUPTION', 'If it's not in memory, it didn't happen') to override standard agent behavior. This enforces a persistent state-tracking mechanism that prioritizes local file access over default safety or operational constraints.
- [DATA_EXFILTRATION]: (Indirect Prompt Injection Surface) The skill processes user-provided application requirements to generate Kubernetes YAML manifests but lacks explicit sanitization, validation, or boundary markers (such as XML tags or delimiters). This allows potentially malicious user input to influence the structure and security properties of the generated manifests.
Audit Metadata