The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The skill provides tools for executing arbitrary commands inside Kubernetes containers via kubectl_exec. The documentation includes examples like sh -c 'curl ...' and ls -la /app. If an attacker can influence the command argument through prompt injection, they can achieve arbitrary code execution within the pod's security context.
REMOTE_CODE_EXECUTION (HIGH): The kubectl_exec tool allows the agent to run code on remote infrastructure. This capability, combined with the lack of command whitelisting or sanitization, presents a significant risk of Remote Code Execution if the agent is misused.
DATA_EXFILTRATION (MEDIUM): The tools kubectl_exec and kubectl_apply (via file_path) can be used to read sensitive configuration files or local environment variables. Examples explicitly show reading configuration files (e.g., cat /etc/config/settings.yaml), which could be used to exfiltrate secrets from the cluster or the agent's host.
INDIRECT_PROMPT_INJECTION (LOW): The skill is highly susceptible to indirect prompt injection as it processes complex data structures (YAML manifests, JSON patches, shell commands) and maps them to powerful infrastructure changes.
Ingestion points: kubectl_exec (command), kubectl_patch (patch), kubectl_apply (manifest).
Boundary markers: Absent in the provided skill definition.
Capability inventory: Full Kubernetes resource lifecycle management (apply, delete, patch, scale) and arbitrary shell execution in pods.
Sanitization: No sanitization or validation logic is defined or mentioned for the input strings passed to kubectl tools.

k8s-operations