kubernetes-operations
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill defines patterns for interacting with external data (Kubernetes resource names) using shell commands.
- Ingestion points: The agent is instructed to use placeholders like
<pod-name>and<namespace>which are typically sourced from untrusted user input or cluster state. - Boundary markers: None present in the instructions to prevent the agent from obeying instructions embedded in resource names or log outputs.
- Capability inventory: Includes
kubectl exec,kubectl logs, andkubectl run, providing a direct path from untrusted input to shell execution. - Sanitization: No sanitization or validation of the input variables is described or required.
- [Command Execution] (HIGH): The troubleshooting section explicitly directs the use of
kubectl exec -it <pod-name> -- /bin/shandkubectl run debug --image=nicolaka/netshoot. These commands provide interactive shell access and allow the deployment of new containers, which are high-privilege actions that could be abused to bypass security controls or exfiltrate data from the cluster environment.
Recommendations
- AI detected serious security threats
Audit Metadata