kubernetes-flux

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The skill includes a "Memory Protocol (MANDATORY)" telling the agent to read/write an internal .claude/context/memory file and to "ASSUME INTERRUPTION," which are instructions that alter agent memory/behavior and are unrelated to the Kubernetes management purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly directs using Flux with arbitrary Git repositories (e.g., "flux bootstrap git --url=…", "flux get sources git", "flux tree kustomization") so the agent/Flux will fetch and interpret manifests from external user-controlled Git sources which can directly influence reconciles and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's installation steps instruct running a remote install script that will be fetched and executed (e.g., "curl -s https://fluxcd.io/install.sh | sudo bash"), which executes external code and is presented as the recommended install method for the required Flux CLI.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill's installation instructions explicitly include a curl ... | sudo bash command that requests sudo privileges and would modify the host system, so it encourages actions that can compromise the machine state.