tke skill

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Tencent TKE operations skill, but it can expose cluster credentials and change cluster access endpoints without strong guardrails.

Install only if you intend to let an agent administer Tencent Cloud TKE. Use least-privileged Tencent Cloud credentials, prefer environment variables or a secret manager over command-line secrets, require explicit approval before kubeconfig retrieval or any create-endpoint/delete-endpoint action, avoid extranet endpoints unless reviewed, and treat kubeconfig output like a password that should not be pasted into shared chats, logs, or commits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (18)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill description frames the tool as an operations/query assistant, but the code also includes create/delete endpoint actions that can change cluster exposure, including enabling extranet access. This mismatch can mislead users or higher-level agents into invoking mutating, security-impacting operations in a context where read-only behavior is expected.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The README says the agent will automatically use this skill when users mention broad terms like TKE, clusters, or container services. In a skill that can retrieve kubeconfig and modify cluster endpoints, overly broad auto-triggering increases the chance of unintended execution of sensitive cloud-management actions based on ambiguous prompts.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README advertises retrieval of kubeconfig without warning that kubeconfig commonly contains cluster access details, certificates, tokens, or exec-based auth configuration that can grant administrative access. In an agent setting, encouraging casual retrieval raises the risk of secret disclosure into chat history, logs, terminals, or other tools.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README notes that create-endpoint and delete-endpoint are write operations but does not explain that they can materially alter cluster connectivity and exposure, including enabling external access or disrupting existing administration paths. In infrastructure-management skills, under-warning destructive or exposure-changing actions can lead to accidental security boundary changes or outages.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README instructs users to provide long-lived cloud credentials through environment variables or command-line flags without warning that CLI arguments can be exposed via shell history, process listings, logs, or screenshots. Because these credentials grant access to TKE management functions, mishandling them can lead to unauthorized cloud access and cluster compromise.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README documents write operations that can create or delete cluster access endpoints but does not warn that these actions can expose cluster APIs externally or disrupt administrative access. In a cluster-management skill, changing endpoint state can have immediate availability and exposure consequences if invoked carelessly.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The kubeconfig command retrieves and prints cluster access material directly to stdout, which can expose credentials or bearer tokens through terminal history, logs, CI output, or agent transcripts. In an agent skill context, automatic capture of command output makes this particularly sensitive because secrets may be persisted outside the operator's awareness.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Creating a cluster endpoint, especially with '--is-extranet', can materially expand network exposure of the Kubernetes control plane. Performing this action without an explicit warning or confirmation increases the chance of accidental internet exposure or misconfigured access paths, which is especially risky in an automation or agent-driven environment.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: Deleting a cluster endpoint is a destructive configuration change that can disrupt access paths used by operators or automation. Lack of confirmation raises the risk of accidental outages or operational lockout, particularly when used through higher-level tools that may call commands non-interactively.

Credential Access

High

Category: Privilege Escalation
Content: | `cluster-level` | 查询集群规格 | `--cluster-id` | | `endpoints` | 查询集群访问地址 | `--cluster-id` (必填) | | `endpoint-status` | 查询端点状态 | `--cluster-id` (必填), `--is-extranet` | | `kubeconfig` | 获取 kubeconfig | `--cluster-id` (必填), `--is-extranet` | | `node-pools` | 查询节点池 | `--cluster-id` (必填), `--limit` | | `create-endpoint` | 开启集群访问端点 | `--cluster-id` (必填), `--is-extranet`, `--subnet-id`, `--security-group`, `--existed-lb-id`, `--domain`, `--extensive-parameters` | | `delete-endpoint` | 关闭集群访问端点 | `--cluster-id` (必填), `--is-extranet` |
Confidence: 92% confidence
Finding: kubeconfig

Credential Access

High

Category: Privilege Escalation
Content: | `cluster-level` | 查询集群规格 | `--cluster-id` | | `endpoints` | 查询集群访问地址 | `--cluster-id` (必填) | | `endpoint-status` | 查询端点状态 | `--cluster-id` (必填), `--is-extranet` | | `kubeconfig` | 获取 kubeconfig | `--cluster-id` (必填), `--is-extranet` | | `node-pools` | 查询节点池 | `--cluster-id` (必填), `--limit` | | `create-endpoint` | 开启集群访问端点 | `--cluster-id` (必填), `--is-extranet`, `--subnet-id`, `--security-group`, `--existed-lb-id`, `--domain`, `--extensive-parameters` | | `delete-endpoint` | 关闭集群访问端点 | `--cluster-id` (必填), `--is-extranet` |
Confidence: 92% confidence
Finding: kubeconfig

Credential Access

High

Category: Privilege Escalation
Content: **典型协作流程**： 1. 使用 TKE Skill 查询集群信息、获取 kubeconfig 2. 使用 Kubernetes Specialist Skill 进行集群内的资源部署、故障排查、安全加固等操作两个 Skill 配合可以覆盖从 TKE 集群管理到 K8s 集群内操作的完整运维场景。
Confidence: 90% confidence
Finding: kubeconfig

Credential Access

High

Category: Privilege Escalation
Content: --- name: tke description: 腾讯云 TKE 容器服务运维专家，支持集群巡检、状态查询、节点池管理、kubeconfig 获取等 allowed-tools: Read, Bash, Write ---
Confidence: 85% confidence
Finding: kubeconfig

Credential Access

High

Category: Privilege Escalation
Content: 1. `endpoints` 查看集群是否已开启内网/外网访问 2. 如未开启，使用 `create-endpoint` 开启内网或外网访问 3. `endpoint-status` 确认端点状态为 Created 4. `kubeconfig` 获取 kubeconfig 内容 5. 指引用户保存 kubeconfig 并配置 kubectl ### 开启/关闭集群访问端点
Confidence: 76% confidence
Finding: kubeconfig

Credential Access

High

Category: Privilege Escalation
Content: 1. `endpoints` 查看集群是否已开启内网/外网访问 2. 如未开启，使用 `create-endpoint` 开启内网或外网访问 3. `endpoint-status` 确认端点状态为 Created 4. `kubeconfig` 获取 kubeconfig 内容 5. 指引用户保存 kubeconfig 并配置 kubectl ### 开启/关闭集群访问端点
Confidence: 76% confidence
Finding: kubeconfig

Credential Access

High

Category: Privilege Escalation
Content: 2. 如未开启，使用 `create-endpoint` 开启内网或外网访问 3. `endpoint-status` 确认端点状态为 Created 4. `kubeconfig` 获取 kubeconfig 内容 5. 指引用户保存 kubeconfig 并配置 kubectl ### 开启/关闭集群访问端点 1. `endpoints` 查看当前端点状态
Confidence: 90% confidence
Finding: kubeconfig

Credential Access

High

Category: Privilege Escalation
Content: print_json(result) def cmd_kubeconfig(args): """获取集群 kubeconfig""" secret_id, secret_key = get_credentials(args) client = create_common_client(secret_id, secret_key, args.region)
Confidence: 98% confidence
Finding: kubeconfig

Credential Access

High

Category: Privilege Escalation
Content: params = {"ClusterId": args.cluster_id} if args.is_extranet: params["IsExtranet"] = True result = call_api(client, "DescribeClusterKubeconfig", params) print_json(result)
Confidence: 99% confidence
Finding: Kubeconfig

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal