kubespray-helm-airgap

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md explicitly instructs fetching and inspecting public charts (e.g., "helm pull oci://registry-1.docker.io/bitnamicharts/nginx" and subsequent zcat/tar/helm show commands) so the agent would ingest untrusted, third‑party chart content and act on its metadata (images/values), which could influence deployment actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill instructs runtime installation of a Helm plugin from a Git repository which fetches and installs remote code (helm plugin install https://github.com/chartmuseum/helm-push.git), making that URL a runtime dependency that executes external code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt includes explicit instructions to modify system configuration files (e.g., appending to /etc/containers/registries.conf) and other system-level operations that require root privileges, so it advises actions that change the host state and thus should be flagged.