Skills
skills/ionfury/homelab/sre/Gen Agent Trust Hub

sre

Warn

Audited by Gen Agent Trust Hub on Mar 24, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill makes extensive use of sensitive file paths located in the user's home directory. Specifically, it references and sets the KUBECONFIG environment variable to files such as ~/.kube/<cluster>.yaml. These files are critical security assets containing authentication tokens, certificates, and endpoint information for Kubernetes cluster access.
  • [COMMAND_EXECUTION]: The skill documents and scripts several high-privilege operations:
  • Container Execution: Uses kubectl exec to run commands like wget inside monitoring containers to query the Prometheus API locally, bypassing external authentication proxies.
  • Security Policy Bypass: Provides an 'emergency escape hatch' to disable network security enforcement at the namespace level using kubectl label namespace <ns> network-policy.homelab/enforcement=disabled.
  • Tunnelling: Instructs the use of kubectl port-forward to establish network tunnels to internal services like hubble-relay.
  • Credential Piping: Includes instructions for manual artifact promotion that involve piping sensitive environment variables into CLI tools, specifically echo $GITHUB_TOKEN | docker login.
  • [PROMPT_INJECTION]: The skill contains strong behavioral directives that attempt to strictly mandate agent reasoning patterns, such as 'You MUST apply 5 Whys before concluding any investigation' and 'Zero Alert Tolerance
  • Every firing alert must be addressed immediately'. While intended as SRE methodology, these function as instruction overrides.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core troubleshooting workflows:
  • Ingestion points: The agent is instructed to read and analyze untrusted data from pod logs (kubectl logs) and event streams (kubectl describe), which can be influenced by attackers controlling workloads or network traffic.
  • Boundary markers: There are no instructions to wrap ingested content in delimiters or to ignore embedded instructions within the processed logs.
  • Capability inventory: The agent has extensive capabilities to execute shell commands, modify cluster resources, and perform network operations based on its analysis of this untrusted data.
  • Sanitization: The skill lacks mechanisms for sanitizing or validating external content before it is interpolated into the agent's context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 24, 2026, 03:30 PM