K8s Security Review

Security checks across malware telemetry and agentic risk

Overview

This skill coherently sends user-provided Kubernetes YAML to a review API, but users should redact real secrets and sensitive cluster details first.

Install only if you are comfortable sending selected Kubernetes manifests to the provider's external API. Before submitting production YAML, redact Secret values, tokens, passwords, internal hostnames, private registry paths, and other sensitive infrastructure details unless the provider's data handling terms meet your requirements.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill accepts complete Kubernetes manifests, explicitly including Secrets and RBAC definitions, yet does not warn users that the submitted content will be sent to an external third-party API. This creates a real data exposure risk because manifests often contain sensitive infrastructure details, credentials, tokens, internal hostnames, and secret material that should not be transmitted without clear disclosure and consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal