k8s-ops
Security checks across malware telemetry and agentic risk
Overview
This skill is purpose-aligned for Kubernetes operations, but it gives broad cluster and host authority while key tool implementations are not included for review.
Install only after reviewing the missing @k8s-ops/core implementation. Use a dedicated least-privilege kubeconfig, avoid broad production credentials, do not provide SSH secrets unless required, and require explicit approval for any Kubernetes write, exec, restart, scale, or rollout action.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or autonomous tool call could make impactful changes to a Kubernetes cluster using the user's configured permissions.
All registered tools accept arbitrary parameters and pass them directly to handlers. For the SKILL-declared Kubernetes exec, scale, restart, rollout, and namespace-management tools, the reviewed artifacts do not show parameter validation or approval controls.
parameters: Type.Any(),
async execute(_toolCallId: string, params: unknown) {
const result = await skill.handler(params, pluginConfig);Require explicit user approval for mutating operations, define strict per-tool schemas, add context and namespace allowlists, and prefer dry-run/read-only modes by default.
The agent may act with the same Kubernetes privileges as the user's kubeconfig, including production or cluster-admin access if that is configured.
The skill relies on local kubeconfig credentials, which may grant broad cluster authority. The artifacts do not clearly restrict which context, namespace, or RBAC level should be used.
- `kubectl` installed and configured with cluster access - Valid kubeconfig (defaults to `~/.kube/config`)
Use a dedicated least-privilege kubeconfig/context, avoid production cluster-admin credentials, and require confirmation before any write, exec, or administrative action.
Providing these fields could let the skill or its handlers access remote hosts using sensitive SSH credentials.
The optional host-monitoring configuration can include SSH passwords or private key paths, but this sensitive host access is not reflected in the registry credential summary and is not bounded in the reviewed runtime code.
"password": { "type": "string" },
"privateKeyPath": { "type": "string", "description": "Path to SSH private key" }Avoid storing passwords in plugin config, prefer SSH agent or secret-managed keys, and limit configured hosts and accounts to least privilege.
The reviewed files do not show what commands the Kubernetes tools actually run, which is risky for a plugin with cluster-management authority.
The plugin imports skillRegistry from @k8s-ops/core and delegates execution to those handlers, but that package's source is not included in the supplied file manifest. The actual behavior of the 32 tools is therefore not reviewable here.
"@k8s-ops/core": "workspace:*"
Review and pin the @k8s-ops/core implementation before installation, publish the full tool source, and avoid workspace:* dependencies in distributed artifacts.