The Agent Skills Directory

[Remote Code Execution] (HIGH): The SKILL.md file contains instructions for the user/agent to install third-party components using kubectl apply with remote URLs. Specifically, it references https://github.com/argoproj/argo-rollouts/releases/latest/download/install.yaml and github.com/fluxcd/flagger/kustomize/kubernetes. Neither argoproj nor fluxcd are on the list of Trusted GitHub Organizations, making these unverifiable remote execution patterns.
[Indirect Prompt Injection] (HIGH): The skill demonstrates a high-risk capability tier combined with untrusted data ingestion.
Ingestion points: The agent is expected to process and apply external YAML manifests (e.g., rollout_yaml in ROLLOUTS.md) and monitor external Prometheus metrics for deployment health.
Boundary markers: No boundary markers or sanitization logic are defined for the YAML content being applied.
Capability inventory: The skill provides full access to cluster modification via kubectl_apply, install_helm_chart, and set_deployment_image.
Sanitization: There is no evidence of schema validation or content filtering. An attacker could provide a malicious manifest containing privileged containers or unauthorized RBAC roles that the agent would then apply to the cluster.
[Command Execution] (MEDIUM): The skill performs sensitive operations (scaling, rolling back, and updating images) based on parameters that may be influenced by external data. Without strict validation of the namespace or image strings, there is a risk of unauthorized resource manipulation within the cluster.

k8s-deploy