k8s-helm
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Remote Code Execution (CRITICAL): The SKILL.md file contains a 'Prerequisites' section that instructs the execution of remote code using the pattern
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash. This piped execution is a critical risk, and the source organization 'helm' is not present on the Trusted GitHub Organizations list. - Indirect Prompt Injection (HIGH): This skill has a high vulnerability surface for indirect prompt injection because it reads and processes external, attacker-controlled Helm charts while possessing the capability to execute state-changing operations in a Kubernetes cluster.
- Ingestion points: SKILL.md tools
add_helm_repo(via URL) andinstall_helm_chart(via chart name/version references). - Boundary markers: No boundary markers or 'ignore embedded instruction' warnings are present in the skill prompts.
- Capability inventory: The skill includes high-privilege tools such as
install_helm_chart,upgrade_helm_release,rollback_helm_release, anduninstall_helm_chart. - Sanitization: No input validation or sanitization is described for chart names, versions, or values.
- Command Execution (HIGH): The skill provides tools that wrap administrative CLI operations. Combined with the ingestion of untrusted external content, this poses a risk of unauthorized command execution or cluster compromise if the agent is influenced by malicious chart data.
- External Downloads (MEDIUM): The skill frequently downloads assets from non-whitelisted domains during repository updates and chart installations.
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 - DO NOT USE
- AI detected serious security threats
Audit Metadata