auditing-kubernetes-rbac-privilege-escalation
Warn
Audited by Snyk on Jun 23, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The skill's prerequisites and workflow include a runtime download and execution of a remote binary via curl from https://github.com/PaloAltoNetworks/rbac-police/releases/latest/download/rbac-police-linux-amd64 which is fetched (curl -L ... -o rbac-police) and then executed (./rbac-police), so the fetched content executes remote code during runtime.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs live, state-changing exploitation: installing tools, using/minting service-account tokens, creating/updating RBAC bindings, and scheduling privileged hostPath pods (e.g., reading /host/etc/shadow) which modify cluster/node/host state and enable takeover.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W013
MEDIUMAttempt to modify system services in skill instructions.
Audit Metadata