k8s-security

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md instructs the agent to fetch and execute public third-party content (e.g., curl|sh installs and kubectl apply -f https://raw.githubusercontent.com/... manifests, helm repo/chart installs from external URLs like https://charts.external-secrets.io), so the agent will ingest and act on untrusted, user-controlled web content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill contains commands that fetch and execute remote code at runtime (e.g., curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh and curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash, as well as kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml), so these URLs are runtime external dependencies that execute remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill includes instructions that modify control-plane/system files (e.g. /etc/kubernetes/encryption-config.yaml), run privileged containers with host mounts, and perform cluster-admin/oc adm/helm installs that require elevated privileges — all actions that change the machine or cluster state and can require sudo/administrator access.