kubespray-airgap

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly describes a download-all.sh pipeline (including download-kubespray-files.sh, pypi-mirror.sh, download-additional-containers.sh) that fetches binaries, Python packages and container images from public sources (docker.io/quay.io/PyPI/GitHub), which are untrusted third-party contents the workflow ingests and that can materially influence subsequent tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill requires fetching and executing binaries and scripts at runtime from the admin server URLs (e.g., http://ADMIN_IP and resources under {{ http_server }}/files and ADMIN_IP:35000), so these runtime HTTP endpoints serve remote code/assets the deployment will execute.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill instructs changing system-wide configuration and services (installing containerd, starting nginx/registry, modifying /etc/containers/registries.conf, creating /etc/containerd/certs.d/hosts.toml, editing /etc/hosts, configuring offline yum/pypi repos and running ansible playbooks), all of which modify machine state and require elevated privileges, so it should be flagged.