k8s

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt mostly avoids exposing secrets by using EDIT_ME placeholders and autogenerated values, but it explicitly instructs the user to paste their Phase Enterprise license key into chat and then substitutes that value verbatim into the generated secret script, which requires the LLM to handle/output a sensitive credential.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly runs commands that fetch and apply public manifests and charts at runtime (e.g., "kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.2/cert-manager.yaml", installing local-path-provisioner via a raw GitHub URL, and helm repo add/helm install for public repos like ingress-nginx and https://helm.phase.dev), which means it ingests untrusted third-party web content that can materially change the agent's actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.2/cert-manager.yaml at runtime (Phase 4a), which fetches and applies remote Kubernetes manifests (executes remote content) and is a required dependency for the deployment, so this is a high-risk runtime external dependency.