kubectl
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill grants the agent the ability to run arbitrary commands within production containers using
kubectl exec. While intended for debugging, this provides a direct path for unauthorized code execution if the agent is compromised.\n- [DATA_EXFILTRATION] (MEDIUM): The skill includes explicit instructions for extracting and decoding Kubernetes secrets (kubectl get secret -o jsonpath='{.data.password}' | base64 -d). This capability allows the agent to access sensitive credentials, which could then be exfiltrated if the agent is directed to an external endpoint.\n- [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection (Category 8). Troubleshooting workflows inSKILL.mdandtroubleshooting.mdmandate reading application logs (kubectl logs), which are untrusted ingestion points. An attacker could print malicious instructions to logs that the agent might follow while using its high-privilege tools. Evidence: Ingestion atSKILL.md(Logs section); Boundary markers absent for reads; Capabilities includeexecandapply; Sanitization is absent.\n- [COMMAND_EXECUTION] (LOW): Python scriptscluster_status.pyandrestart_monitor.pyexecute system commands viasubprocess.run. Although currently using a hardcoded configuration, the use of administrative CLI tools via scripts increases the overall attack surface.\n- [DATA_EXPOSURE] (LOW): Infrastructure metadata, including a specific AWS Account ID (830101142436) and internal network IPs, are hardcoded in the skill files.
Audit Metadata