Kubernetes Agent Swarm
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Kubernetes operations skill, but it asks agents to use powerful cluster, cloud, registry, and GitOps commands that could change or delete production systems.
Use this skill only if you intentionally want an agent to help operate Kubernetes/OpenShift infrastructure. Start with read-only or non-production credentials, explicitly approve every mutation, avoid production cluster-admin/cloud-admin tokens, disable autonomous heartbeat behavior unless needed, and review persistent memory/log files for sensitive data.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with production credentials, the agent could change or delete deployed applications and their resources.
These raw GitOps commands can remove, replace, or delete live Kubernetes resources. The file includes approval warnings, but the commands are high-impact and not bounded to a specific cluster, namespace, or non-production environment.
argocd app sync my-app --prune argocd app sync my-app --force argocd app delete my-app --cascade
Use only scoped service accounts, require explicit per-command approval, prefer dry-run/diff workflows first, and restrict production force/prune/delete operations to humans.
Installing or using the skill with broad credentials could let the agent mutate clusters, cloud infrastructure, registries, and deployment systems.
The skill expects Kubernetes and optional cloud credentials that can carry broad administrative authority, while the registry metadata says no required credentials or environment variables.
requires:
env:
- KUBECONFIG
optional_env:
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- AZURE_CLIENT_SECRET
- GOOGLE_APPLICATION_CREDENTIALS
credentials:
- kubeconfig: "KUBECONFIG path or ~/.kube/config for cluster access"
- cloud: "Optional cloud provider credentials for managed clusters"Provide least-privilege, non-production credentials by default; avoid cluster-admin and cloud-admin profiles; document exactly which contexts and accounts the skill may use.
An agent could keep monitoring, routing, or preparing actions in the background if the platform honors the heartbeat model.
The skill describes recurring heartbeat behavior and agents attempting resolution. No executable scheduler is included, but if the host implements these instructions, activity may continue beyond a single user request.
heartbeat: "*/5 * * * *" ## Heartbeat Schedule */5 * * * * Atlas, Pulse, Shield (fast response: incidents, alerts, CVEs) ... Agent detects issue Agent attempts resolution within guardrails
Disable autonomous scheduling unless intended, and require human approval before any heartbeat-triggered mutation or production action.
Incorrect, sensitive, or maliciously edited memory/log entries could affect later cluster operations or expose operational information.
The skill uses persistent memory and logs that can influence future agent behavior and may accumulate operational details over time.
This repository serves as the single source of truth for cluster operations automation. All future agent actions should update relevant log files. ## Critical Rules (Always Remember)
Restrict write access to memory/log files, review changes, and never store secret values or full credential outputs in persistent notes.
Operational details or sensitive incident context could be shared more broadly than intended across the swarm.
The intended shared-comment communication model can propagate context among agents, but the artifacts do not define identity checks, origin validation, or data boundaries for those comments.
Agents communicate via @mentions in shared task context Commenting on a task → auto-subscribe to thread Being @mentioned → auto-subscribe Once subscribed → receive ALL future comments on heartbeat
Keep shared task comments free of secrets, restrict who can mention/subscribe agents, and require agents to treat comments as untrusted context.