performing-kubernetes-penetration-testing

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes explicit commands that read and print secret values (e.g., base64-decoding secret data, catting serviceaccount tokens, querying etcd), which requires the agent to handle and potentially output secrets verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required workflow explicitly fetches and executes public third‑party content (e.g., SKILL.md Step 4 uses "curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash" and "kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml") and its scripts also ingest and interpret untrusted Kubernetes API JSON (kubectl outputs of services, pods, secrets) which can materially influence scanning/exploitation decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime commands that fetch and execute remote code — e.g. curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash — and applies a remote manifest (kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml), both of which are required installation/scan steps that execute external content at runtime.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs deploying privileged pods that mount the host filesystem and chrooting into /host, accessing etcd certs and secrets, and other actions that modify cluster/host state and enable privilege escalation, so it pushes the agent to compromise the machine.