deploy-to-kubernetes

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes concrete secret literals and examples that embed secrets verbatim in commands/manifests (e.g., --from-literal password='sup3rs3cr3t!' and api-key "sk-123..."), which requires the agent to output sensitive values directly and therefore poses an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs at runtime to run "kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml", which fetches and applies remote Kubernetes manifests (executing remote content) and is required for the HPA step to function, so this URL is a runtime external dependency that executes code.