kubectl
Warn
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches the kubectl binary and GPG keys from official Kubernetes infrastructure (
dl.k8s.ioandpkgs.k8s.io) during the installation process. - [REMOTE_CODE_EXECUTION]: The skill facilitates the application of Kubernetes manifests directly from remote URLs using
kubectl apply -f <url>. - [COMMAND_EXECUTION]: Includes commands for executing interactive shells and arbitrary binary execution within cluster pods via
kubectl exec. - [COMMAND_EXECUTION]: Setup instructions utilize
sudoto move binaries into system-wide executable paths and configure system package managers. - [COMMAND_EXECUTION]: Modifies shell profile files (
~/.bashrc,~/.zshrc) to enable persistent command-line autocompletion. - [DATA_EXFILTRATION]: Provides instructions for retrieving sensitive data from the cluster, including decoding Secret resources and copying files from containers to the local filesystem using
kubectl cp. - [PROMPT_INJECTION]: Vulnerable to indirect prompt injection. The agent is instructed to read and analyze cluster data that may contain untrusted content, such as container logs or event descriptions. This information is ingested into the agent's context where it could attempt to influence high-privilege actions like resource deletion or modification.
- Ingestion points:
resources/command-cookbook.mdandresources/troubleshooting.md(viakubectl logs,kubectl describe, andkubectl get events). - Boundary markers: No specific delimiters or safety instructions are provided to the agent to ignore instructions embedded within the logs or events it reads.
- Capability inventory: The skill allows for broad cluster control, including
apply,patch,delete, andexeccapabilities across all resource types. - Sanitization: There is no evidence of filtering or sanitization of the external content retrieved from the cluster before it is processed by the agent.
Audit Metadata