argocd-exploit

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill is explicitly malicious: it contains step-by-step exploit tooling (Redis cache poisoning script), malicious Kubernetes manifests with a reverse shell and privileged mounts, instructions to steal admin credentials/tokens and perform SSRF to cloud metadata — all enabling unauthorized cluster takeover, credential theft, and data exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.95). The skill's detection and exploit workflows explicitly fetch and parse untrusted remote content (e.g., /api/v1/version and other ArgoCD endpoints in references/detection-and-post-exploit.md and reading/writing Redis cache keys in references/cve-exploits.md) and then use that content to decide vulnerabilities and drive exploit actions, so third-party data can influence tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill includes an authenticated post example that points ArgoCD to fetch manifests from an external git repository (https://github.com/attacker/evil-manifests), which at runtime would be cloned by ArgoCD and directly execute remote manifests (i.e., remote code), so this is a required external dependency used to perform the exploit.