dynamo-recipe-runner
Warn
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill automates the execution of cluster-mutating shell commands, specifically
kubectl applyfor manifest deployment andkubectl port-forwardfor connectivity testing. These operations directly affect the production environment and are executed by the agent to implement recipe patches. - [CREDENTIALS_UNSAFE]: The skill manages a workflow involving the creation and verification of Kubernetes secrets containing sensitive Hugging Face tokens (
hf-token-secret). Although it provides guidance to avoid logging the tokens, the agent's interaction with high-privilege credentials creates a risk of exposure or unauthorized access. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it ingests and processes YAML manifests from the
recipes/directory and applies them after interpolation with user-supplied parameters. - Ingestion points: YAML recipe manifests located in the
recipes/directory tree. - Boundary markers: Absent; there are no clear delimiters used to prevent the agent from interpreting content within the manifests as executable instructions.
- Capability inventory:
kubectl apply,kubectl exec, and local script execution (recipe_tool.py). - Sanitization: The skill relies on basic regex-based validation in
recipe_tool.pyto find placeholders, but lacks comprehensive sanitization or schema validation to prevent malicious injection into the cluster configuration.
Audit Metadata