GKE Autopilot Hardening
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a third-party API wrapper for generating GKE hardening manifests, with no local code or credentials, but users should review the provider and generated Kubernetes changes before applying them.
This skill does not include local code or request GKE credentials, so the reviewed artifacts do not show malicious behavior. Before installing or using it, verify the external API provider, avoid sending sensitive identifiers, and manually review and test any generated Kubernetes manifests before applying them to production clusters.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users must trust the external API provider to generate safe Kubernetes hardening manifests, but the artifacts provide limited provenance.
The skill relies on a hosted API described in the documentation, but the registry metadata does not provide a source repository or homepage for independently verifying the provider or implementation.
Source: unknown; Homepage: none
Verify the provider and API endpoint before relying on generated configurations, especially for production clusters.
Hardening options and tracking identifiers may be sent to a third-party service. The artifacts do not show secrets being requested, but users should avoid putting sensitive data in these fields.
The skill documents sending requests to an external API and requires a session identifier, with optional userId and timestamp fields.
Kong Route: https://api.mkkpro.com/hardening/gke-autopilot ... sessionId ... Required ... Unique session identifier for tracking and audit purposes
Use non-sensitive session identifiers, omit optional user identifiers unless needed, and confirm the destination service is trusted.
Applying generated manifests without testing could block legitimate traffic or change access controls in GKE environments.
The generated hardening manifests can include restrictive network and RBAC policies that may affect workload connectivity or access if applied to a cluster.
"description": "Default deny ingress and egress policies" ... "kind: NetworkPolicy" ... "policyTypes:\n - Ingress\n - Egress"
Review the generated YAML, test in a non-production cluster or namespace, use dry-run where possible, and keep a rollback plan.
A user might mistakenly believe the skill has applied changes to a cluster, or conversely assume it has cluster mutation authority when the artifacts do not show that capability.
The skill description says it can generate and apply configurations, but the documented endpoint only generates configurations.
description: Generate and apply security hardening configurations ... POST /api/gke-hardening/generate
Treat this skill as a generator unless separate, user-approved apply steps are provided and reviewed.