k8s-cli
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection. It ingests external, untrusted content from the Kubernetes cluster and possesses high-privilege capabilities.
- Ingestion points:
kubectl-mcp-server call get_pod_logs,kubectl-mcp-server resources(cluster status, pod events). - Boundary markers: Absent. There are no instructions to the agent to treat cluster data as untrusted or to ignore embedded commands.
- Capability inventory: High-impact write operations including
scale_deploymentandinstall_helm_chartviakubectl-mcp-server call. - Sanitization: Absent. No mention of filtering or escaping output from the cluster before it enters the agent's context.
- [COMMAND_EXECUTION] (HIGH): The skill provides a direct interface for the agent to execute arbitrary tools and commands on a connected system. The
callandservecommands allow the agent to perform complex operations with side effects on production infrastructure. - [DATA_EXFILTRATION] (MEDIUM): The skill exposes sensitive information from
kubeconfigand allows starting a network-accessible server viakubectl-mcp-server serve --transport streamable-http --port 8000, which could be used to expose cluster data externally. - [PERSISTENCE] (LOW): The skill instructs the user to modify shell configuration files (
~/.bashrc,~/.zshrc) to add aliases, which is a method of maintaining a persistent presence in the user's shell environment.
Recommendations
- AI detected serious security threats
Audit Metadata