K8s Ops Plugin
Security checks across malware telemetry and agentic risk
Overview
This Kubernetes plugin is purpose-aligned, but it gives an agent broad cluster and credential-backed operational power without enough visible scoping, validation, or reviewable implementation.
Treat this as a powerful cluster-administration plugin. Only use it with a dedicated, least-privilege kubeconfig and limited SSH credentials, review the missing @k8s-ops/core implementation before installing, and require explicit approval for pod exec, rollout, scale, restart, namespace, storage, or other mutating operations.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could invoke powerful Kubernetes operations with broad inputs, potentially changing workloads, opening access paths, or disrupting services if used incorrectly.
Every registered Kubernetes tool accepts arbitrary parameters and passes them directly to a handler. Combined with the documented tools such as pod exec, port-forward, rollout, scale, restart, storage, and namespace management, this lacks visible guardrails for high-impact cluster actions.
parameters: Type.Any(),
async execute(_toolCallId: string, params: unknown) {
const result = await skill.handler(params, pluginConfig);Use only with a least-privilege kubeconfig and require explicit user approval for mutating or exec-like actions; the publisher should add per-tool schemas, namespace/context scoping, dry-run support, and confirmation requirements.
If the configured kubeconfig has production or admin privileges, the agent may be able to inspect or modify sensitive cluster resources using those privileges.
The skill relies on the user's Kubernetes credentials, which may grant broad access to clusters. The artifacts do not define least-privilege expectations, allowed contexts, namespaces, or protections around credential-backed operations.
- `kubectl` installed and configured with cluster access - Valid kubeconfig (defaults to `~/.kube/config`)
Install only with a restricted kubeconfig for the intended cluster and namespace, avoid admin contexts, and verify every mutating operation before allowing the agent to run it.
Supplying SSH credentials could let the plugin access configured hosts, and unclear handling increases the risk of unintended host access or exposure.
The plugin configuration supports SSH targets with passwords or private-key paths. This is sensitive host access, but the reviewed code does not show how those credentials are constrained, protected, or used.
"hosts": {
"type": "array",
"description": "SSH target hosts for sys-monitor skill",
...
"password": { "type": "string" },
"privateKeyPath": { "type": "string", "description": "Path to SSH private key" }Prefer key-based access with limited accounts, avoid storing passwords where possible, and configure only hosts the agent is explicitly allowed to monitor.
Users cannot verify from these artifacts what commands or API calls the 32 Kubernetes tools will actually perform.
The plugin's actual tool behavior is delegated to @k8s-ops/core, but that core implementation is not present in the provided file manifest; package.json also declares it as a workspace dependency. This leaves the high-impact Kubernetes handlers unreviewed in the supplied artifacts.
import { skillRegistry, type PluginConfig } from "@k8s-ops/core";
...
for (const skill of skillRegistry) {
...
const result = await skill.handler(params, pluginConfig);Review and pin the @k8s-ops/core implementation before installation, and require the published package to include the full handler source or a verifiable dependency version.