dynamo-recipe-runner

Warn

Audited by Gen Agent Trust Hub on Jun 18, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill automates the execution of cluster-mutating shell commands, specifically kubectl apply for manifest deployment and kubectl port-forward for connectivity testing. These operations directly affect the production environment and are executed by the agent to implement recipe patches.
  • [CREDENTIALS_UNSAFE]: The skill manages a workflow involving the creation and verification of Kubernetes secrets containing sensitive Hugging Face tokens (hf-token-secret). Although it provides guidance to avoid logging the tokens, the agent's interaction with high-privilege credentials creates a risk of exposure or unauthorized access.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it ingests and processes YAML manifests from the recipes/ directory and applies them after interpolation with user-supplied parameters.
  • Ingestion points: YAML recipe manifests located in the recipes/ directory tree.
  • Boundary markers: Absent; there are no clear delimiters used to prevent the agent from interpreting content within the manifests as executable instructions.
  • Capability inventory: kubectl apply, kubectl exec, and local script execution (recipe_tool.py).
  • Sanitization: The skill relies on basic regex-based validation in recipe_tool.py to find placeholders, but lacks comprehensive sanitization or schema validation to prevent malicious injection into the cluster configuration.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 18, 2026, 04:34 PM
Security Audit — agent-trust-hub — dynamo-recipe-runner