The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill possesses a significant attack surface where malicious instructions embedded in external data could influence the agent.
Ingestion points: Tools like get_pod_logs, get_events, and get_configmap ingest data from potentially untrusted sources (e.g., application logs or cluster events controlled by an attacker).
Boundary markers: The skill lacks explicit instructions or delimiters to isolate ingested log/event content from the agent's control logic.
Capability inventory: The skill has high-impact write capabilities, including delete_pod, delete_namespace, and drain_node, which could be targeted by injected instructions.
Sanitization: There is no evidence of sanitization or filtering for the content returned by the K8s API tools before it is processed by the agent.
Data Exposure & Exfiltration (SAFE): While the skill manages Kubernetes secrets via get_secret and create_secret, it explicitly includes a priority rule: 'Never expose secrets in plain text.' The example credentials provided ('secret123') are clearly instructional placeholders.
Privilege Escalation (SAFE): The skill performs administrative tasks (node draining, resource deletion) which are consistent with its stated purpose as a core Kubernetes management tool.

k8s-core