k8s-storage-exploit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to locate and cat files/paths that contain credentials, keys, and tokens (e.g., /var/run/secrets, /host/root/.ssh, cat /efs/flag.txt), which would require reading and potentially outputting secret values verbatim — enabling exfiltration.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is clearly malicious: it provides explicit, step-by-step instructions to discover and exploit Kubernetes-mounted storage (NFS/EFS/PV/Secrets/ConfigMaps) to read sensitive files and credentials, spoof UID/GID to bypass access controls, and create remote access (SSH reverse tunnels) for exfiltration and unauthorized access.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs the agent to read arbitrary files from network-mounted, potentially untrusted storage (e.g., using nfs-cat with nfs:// URLs and directly listing/reading /efs, /mnt, /var/run/secrets and hostPath mounts) as part of its required workflow, so third-party file contents could be ingested and influence actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs active exploitation and bypassing of access controls (e.g., nfs-cat UID/GID spoofing, SSH port forwarding) and directs reading of sensitive host/container files (e.g., /host/etc/shadow, /var/run/secrets), enabling compromise of the running environment.