Back to skill

Security audit

Kubernetes Agent Swarm

Security checks across malware telemetry and agentic risk

Overview

This Kubernetes operations skill is not clearly malicious, but it combines powerful infrastructure access with overbroad repo commits, PR creation, and external incident notifications that need human review.

Install only if you are comfortable giving an agent live Kubernetes/OpenShift and optional cloud or registry authority. Before use, require explicit approval for all write, delete, secret, production, PagerDuty, Slack/Teams, git commit, git push, and PR actions; restrict credentials to least privilege; and replace broad git add -A behavior with path-limited, reviewed logging.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (42)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill expands beyond artifact management into repository state tracking, mandatory git commits, and cross-session workflow control. In an agent setting, this broadens authority and can cause unauthorized modification of the local repository, persistence of sensitive state, or unintended commits unrelated to the declared artifact-management role.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill prescribes outbound communications to Slack, Teams, and PagerDuty even though those channels are not declared as necessary artifact-management dependencies. This creates unnecessary exfiltration and notification capability, allowing cluster, image, CVE, or operational metadata to be sent to external systems without clear minimization, authorization, or secret-handling controls.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The section labeled as copying images between ECR repositories includes a destructive batch-delete command against the source repository. An operator or agent following the instructions could delete the source image instead of promoting it, causing supply-chain disruption, rollback failure, or loss of a trusted artifact.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill metadata says it is 'pure instruction-based' with no executable scripts, yet it includes an explicit curl command that performs a live outbound network action to PagerDuty. This mismatch can mislead reviewers and operators about the skill's real behavior and increases the chance that sensitive operational data is transmitted without proper scrutiny.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The session-end protocol instructs the agent to run git add and git commit across the workspace, which is outside core cluster operations and can mutate unrelated repository state. In an agent setting, broad repository mutation creates risk of unintended persistence, accidental inclusion of sensitive data, or tampering with audit artifacts.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill embeds communication and incident-escalation workflows, including direct PagerDuty integration, beyond its stated cluster-operations role. Combining infrastructure access with outbound messaging and escalation increases the blast radius: the same agent can both access sensitive cluster state and transmit details externally.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill’s stated purpose is Kubernetes/OpenShift developer experience, but it also claims authority to provision AWS and Azure resources. That scope expansion can cause an agent operating with cluster-oriented trust assumptions to trigger cloud-side changes outside expected guardrails, increasing the chance of overreach, privilege misuse, or unintended infrastructure modification.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill materially expands beyond GitOps deployment management into session bookkeeping, collaboration, and incident escalation workflows. This broadens the agent’s operational authority and can normalize actions such as notifications, escalation, and workflow coordination that are not necessary for the stated purpose, increasing the chance of unintended external actions or abuse.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Including Slack, Teams, and PagerDuty operations gives the GitOps skill outbound communication and escalation capability unrelated to core deployment management. If invoked improperly, the agent could send unauthorized notifications, leak operational details, or trigger incident workflows using available credentials.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill includes administration of AWS Secrets Manager and Azure Key Vault, which exceeds normal GitOps deployment orchestration and expands access into cloud secret management. That creates a larger blast radius because the same skill can influence or retrieve high-value secrets infrastructure outside cluster deployment state.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The observability skill includes mandatory repository-wide workflow actions such as reading shared logs, updating workspace files, and committing to git. These cross-cutting duties expand the agent's authority beyond monitoring and incident analysis, increasing the chance it alters unrelated project state or persists unintended changes without explicit user approval.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill says it does not manage deployments or infrastructure, yet later incident guidance includes containment and remediation actions like rollback, scale, or redirect that can change running systems. This mismatch can cause an operator or agent to over-trust the declared scope while still executing impactful operational changes.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The role-definition narrows the agent to observing and triaging, but later instructions direct operational intervention. Contradictory scope statements are dangerous because they obscure the true privilege and action surface of the skill, making unsafe actions easier to justify during incidents.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The skill adds outbound communication and PagerDuty escalation behavior that is not declared in its required tools or tightly scoped to core observability diagnostics. Undeclared notification channels increase the risk of unauthorized data sharing, noisy escalations, or surprise external actions from a skill that appears primarily diagnostic.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The orchestrator is described as a coordinator, but this section authorizes it to perform repository-modifying actions itself, including creating branches, committing changes, pushing to origin, and opening pull requests. That expands the skill from passive coordination into active change execution, increasing the chance of unauthorized or accidental codebase modification through routine heartbeat processing.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This section instructs the orchestrator to send Slack/Teams messages and PagerDuty events, including outbound HTTP requests, despite the skill being presented as a pure instruction-based coordination tool. External communications can disclose operational details and create side effects outside the cluster environment without explicit consent or data-minimization controls.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Direct source-control automation and GitHub PR creation are privileged write operations that are not necessary for a coordinator-only role. If triggered automatically from logs or heartbeat logic, the orchestrator could publish unreviewed changes, create noisy or malicious PRs, or alter project history without adequate separation of duties.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file explicitly claims the orchestrator does not do operational work itself, but later grants it authority to update files, commit changes, push branches, and open PRs. This contradiction is dangerous because operators may trust the stated limited role while the actual instructions enable direct state-changing actions in repositories and possibly linked automation pipelines.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is declared as a Kubernetes/OpenShift security specialist, but this section mandates repository workflow actions like reading workspace files and committing to git every session. That broadens the agent's authority from cluster security assessment into source-control modification, increasing the chance of unintended codebase changes or persistence of sensitive operational data in commits.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This section introduces outbound communications to Slack, Teams, and PagerDuty that are not declared in the manifest or required capabilities. Undeclared notification and escalation channels create a data exfiltration path where cluster state, incident details, or other sensitive information could be transmitted outside the user's expected trust boundary.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The PagerDuty curl command gives the skill a concrete mechanism to send structured security data to an external service. In a 'pure instruction-based' cluster security skill, that capability is unnecessary by default and can be abused to exfiltrate incident details, resource names, and metadata using environment-backed credentials.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Mandatory git commit behavior is not justified by the stated role of a Kubernetes security specialist and pushes the agent toward changing repository state by default. This can create unauthorized persistence, accidental leakage of cluster findings into version control, or noisy commits that obscure auditability.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The skill is defined as a broad, multi-purpose Kubernetes/OpenShift operations swarm without explicit trigger boundaries, environment gating, or narrow task scoping. In a high-impact infrastructure context, this increases the chance the agent is invoked for sensitive cluster actions in live environments without sufficient user confirmation or context checks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file describes capabilities that can affect live clusters, deployments, RBAC, namespaces, GitOps syncs, logs, and cloud-backed cluster operations, but it does not prominently warn about production risk, credential sensitivity, or the consequences of executing commands against the wrong context. Because the skill is instruction-only and relies on host CLI tools, a user or agent could translate these instructions directly into impactful actions with insufficient safety messaging.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The Harbor examples perform authenticated network calls using inline credentials but do not carry the same human-approval warning used elsewhere in the skill. This inconsistency increases the chance that an agent or operator executes credentialed external requests automatically, exposing secrets in shell history or logs and enabling unreviewed access to registry data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
skills/observability/SKILL.md:542