openchoreo-platform-engineer
Warn
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes several Argo Workflow templates that execute complex shell scripts to perform git operations, build container images, and interact with the OpenChoreo API.
- Evidence found in
resources/workflow-templates/checkout-source.yaml,resources/workflow-templates/containerfile-build.yaml, andresources/workflow-templates/generate-workload.yaml. - [CREDENTIALS_UNSAFE]: A hardcoded default client secret is provided in the OAuth configuration of a workflow template.
- Evidence in
resources/workflow-templates/generate-workload.yaml:oauth-client-secretdefaults to"openchoreo-workload-publisher-secret". - [PRIVILEGE_ESCALATION]: Multiple workflow templates utilize container configurations with
privileged: trueto perform operations like image building with Podman. - Evidence in
resources/workflow-templates/containerfile-build.yaml,resources/workflow-templates/generate-workload.yaml, andresources/workflow-templates/publish-image.yaml. - [EXTERNAL_DOWNLOADS]: The workflow templates download and execute container images from external registries including GitHub Container Registry (ghcr.io) and Docker Hub.
- Referenced images include
ghcr.io/openchoreo/podman-runner,ghcr.io/jqlang/jq,mikefarah/yq, andalpine/git. - [DATA_EXFILTRATION]: Scripts within the workflow templates handle sensitive information such as SSH private keys and API tokens, moving them into temporary local files for execution.
- In
resources/workflow-templates/checkout-source.yaml, SSH private keys are read from mounted secrets and written to~/.ssh/id_rsa. - [REMOTE_CODE_EXECUTION]: The workflow templates utilize
curl -sk(insecure) to communicate with API endpoints using tokens obtained at runtime, presenting a risk if the target URLs are manipulated. - Evidence in
resources/workflow-templates/generate-workload.yaml.
Audit Metadata