keyvault-csi-driver
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFECREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill contains hardcoded UUIDs representing infrastructure identities in
SKILL.mdandreferences/examples.md. - Evidence includes Client ID:
f1a14a8f-6d38-40a0-a935-3cdd91a25f47and Tenant ID:3f7a3df4-f85b-4ca8-98d0-08b1034e6567. - [DATA_EXPOSURE]: Hardcoded environment names (
cafehyna-dev,painelclientes-prd) and Key Vault names (kv-cafehyna-dev-hlg,painel-clientes-prd) are present inSKILL.md, revealing specific details about the target infrastructure. - [COMMAND_EXECUTION]: The skill includes several utility scripts that execute shell commands:
scripts/create-keyvault-secret.shusesaz keyvault secret setto modify cloud resources.scripts/diagnose-csi.shuseskubectlto query cluster state and logs.scripts/grant-keyvault-access.shusesaz role assignment createandaz keyvault set-policyto modify security permissions.- [PRIVILEGE_ESCALATION]: The script
scripts/grant-keyvault-access.shis designed to modify Azure RBAC roles and Key Vault access policies, which involves managing security boundaries and permissions.
Audit Metadata