Back to skill

Security audit

Kubeblocks

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate KubeBlocks database-management skill, but it needs review because it can drive real Kubernetes changes, reveal database secrets, and includes some destructive or mutating guidance that is not consistently scoped or warned.

Install only if you intentionally want an agent to manage KubeBlocks databases on Kubernetes. Before any action, confirm kubeconfig context, namespace, target cluster, environment, terminationPolicy, and dry-run output; require explicit approval for apply, delete, uninstall, expose, restore, scale, patch, or credential-retrieval commands, and avoid pasting decoded secrets into chat, logs, or shared terminals.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (49)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill’s concrete YAML examples set `terminationPolicy: Delete` even though later guidance says production deployments should use `DoNotTerminate`. Because users often copy examples directly, this mismatch can cause accidental deletion of a production cluster and its PVCs if the resource is removed. In infrastructure automation context, unsafe defaults in examples are especially risky because they are likely to be reused without careful review.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill metadata says it is not for uninstalling KubeBlocks, yet the same file later provides explicit uninstall and cleanup steps. This mismatch can cause an agent or user to invoke destructive operations unexpectedly because the documented scope and actual behavior are inconsistent.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The documentation contradicts its own manifest by saying uninstalling is out of scope while later instructing exactly how to uninstall. In agent workflows, such contradictions increase the chance of unsafe action selection and accidental destructive execution.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill explicitly states that it only guides diagnosis and 'does not perform actions,' but later includes concrete state-changing kubectl annotate and patch commands. This mismatch is dangerous because an agent may treat the skill as read-only and still be induced to execute remediation steps that alter live cluster state, bypassing the user's intent and reducing operator caution.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The troubleshooting guide goes beyond diagnosis by providing direct live-cluster repair operations such as annotating components/componentdefinitions and patching OpsRequests. In an agent setting, this is risky because troubleshooting content is often treated as safe to follow automatically, and these commands can change deletion behavior, skip validation-like checks, or cancel operations on production systems without sufficient review.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation guidance is overly broad because it directs use of the skill whenever a user says they need a database, even if they do not mention Kubernetes or KubeBlocks. This can cause the agent to invoke infrastructure-provisioning behavior in situations where the user's environment, permissions, or intent are unclear, increasing the chance of unsafe or inappropriate operational actions.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The README explicitly states the agent will automatically use these skills whenever a database is needed, which is an overly broad trigger for a capability set that can provision, modify, expose, back up, restore, and delete production database infrastructure. In an agentic context, broad auto-invocation increases the chance of the agent taking high-impact actions without sufficiently specific user intent, environment validation, or change approval.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README enumerates destructive and availability-impacting operations such as delete-cluster, restore, upgrade, scaling, switchover, rebuild, and expose-service, but does not warn that these actions can cause outages, data loss, credential exposure, cost increases, or irreversible state changes. In a skill intended for autonomous or semi-autonomous agents, missing safety warnings and approval requirements materially raises the risk of unsafe execution in production environments.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger description is broad enough to activate this skill for generic requests like 'I need a database' or 'set up MySQL' even when the user may not want Kubernetes or KubeBlocks. In an agent-routing context, this can cause the system to select a high-privilege infrastructure-management skill unnecessarily, increasing the chance of unintended cluster access, provisioning, or destructive operations being suggested or initiated.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The sample manifests set `terminationPolicy: Delete` for Elasticsearch clusters without an explicit warning that deleting the cluster may also delete associated data resources. In a database/infrastructure provisioning skill, this can lead users to deploy production-like clusters with destructive defaults and later suffer unintended data loss during cleanup or lifecycle operations.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description includes broad trigger phrases such as generic references to Kafka, message queues, and cluster creation that could cause the agent to invoke this skill in situations where the user did not explicitly request Kubernetes-based Kafka deployment. Over-broad routing can lead to unintended infrastructure actions or guidance being surfaced in ordinary conversations, especially because this skill contains actionable deployment commands.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The examples instruct the agent/user to create namespaces and apply Cluster manifests that will modify a live Kubernetes environment and allocate persistent volumes, but they do not clearly warn that these actions are state-changing and may incur cost or consume shared infrastructure. In an agent setting, this increases the risk of unintended provisioning or resource changes when a user may have expected informational guidance only.

Missing User Warnings

High
Confidence
97% confidence
Finding
The sample manifest sets terminationPolicy to Delete without a nearby warning that deleting the cluster may also delete underlying data volumes and permanently destroy stored vectors and metadata. For a database skill, this is especially dangerous because users may copy the manifest into production-like environments and assume data durability is preserved by default.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill provides commands to retrieve and use the MongoDB root password directly from a Kubernetes secret, but it does not warn about secure handling, shell history leakage, terminal exposure, or least-privilege alternatives. In an operational environment, this can normalize unsafe credential practices and increase the chance of accidental disclosure of highly privileged database credentials.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The reference includes `terminationPolicy: Delete` in example manifests without an adjacent warning that this setting deletes workloads and PVCs. In an infrastructure provisioning skill, users often copy examples directly, so this can lead to unintended data loss in real database deployments, especially because the document also presents production-oriented guidance.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs users to retrieve and print the MySQL root password from a Kubernetes secret and then use the root account for access, without any warning about sensitive credential handling, least-privilege access, terminal history, or log exposure. In an infrastructure-management skill, this is dangerous because operators may copy, expose, or normalize use of highly privileged credentials, increasing the risk of database compromise.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The example cluster manifest sets terminationPolicy to Delete for a stateful MySQL deployment but does not warn that deleting the cluster may permanently remove associated database resources or data, depending on storage and controller behavior. In a database provisioning skill, omission of this warning is risky because users often copy examples verbatim into production-like environments and may assume deletion is reversible.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The reference documents destructive termination policies such as `Delete` and especially `WipeOut` without prominent warnings about irreversible data loss. In a Kubernetes database management skill, users may copy these examples directly, so omission of cautions can lead to accidental deletion of PVCs, secrets, and backups in production.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill provides a command that directly decodes and prints the PostgreSQL password from a Kubernetes Secret without any warning about exposure risk. In operational environments this can leak privileged credentials into terminal scrollback, shell history, logs, screen recordings, or shared sessions, increasing the chance of unauthorized database access.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The reference explicitly documents destructive termination policies, including `Delete` and `WipeOut`, without an adjacent warning about permanent data loss. In a database provisioning skill, users may copy YAML or policy choices directly, and selecting these options can lead to irreversible deletion of PVCs, secrets, and backups for production data.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The description includes broad trigger terms such as 'vector database', 'vector search', 'similarity search', 'embedding', and 'RAG', which can cause the skill to activate for general AI/database requests rather than explicit Qdrant deployment intent. In an agentic system, over-broad routing can lead to unintended infrastructure actions or database provisioning in the wrong context, especially since the skill contains executable operational guidance for creating Kubernetes resources.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill includes direct commands to extract and decode root credentials from a Kubernetes Secret and then use them for login, but it does not warn about sensitive handling, least privilege, or avoiding disclosure in shared terminals/logs. In an agent setting, this increases the risk of credential exposure through command history, copied outputs, chat transcripts, or overbroad use of highly privileged accounts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to print a Redis password directly from a Kubernetes secret to the terminal without any warning about credential handling, shell history, logging, or least-privilege access. In operational environments, this can lead to accidental exposure through terminal scrollback, shared sessions, recorded demos, or copied command output, especially because database credentials grant direct access to live data stores.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples repeatedly set `terminationPolicy: Delete` in a database provisioning reference without warning that deletion will remove workloads and PVC-backed data. In a Kubernetes database skill, readers may copy these manifests directly into production-like environments, making accidental destructive data loss more likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The NodePort example exposes Redis Cluster nodes externally and states that direct access to each node is required, but it does not warn about the security consequences of publishing database endpoints on every node. In the context of a database-management skill, this materially increases risk of unauthorized access, brute-force attempts, misconfiguration exposure, and internet-reachable data services if used in permissive clusters.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.