ClawHub

kube-medic

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Kubernetes triage skill that is read-only by default, with optional user-confirmed cluster changes that require careful review before use.

Install only if you are comfortable letting the agent inspect Kubernetes state and pod logs through your current kubeconfig. Prefer a read-only or namespace-scoped RBAC role, verify the active kubectl context before running it, and approve confirm-write commands only after checking the exact cluster, namespace, resource, and availability impact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill invokes `bash scripts/kube-medic.sh` and operates against Kubernetes APIs via `kubectl`, which implies network-capable access to cluster endpoints, yet no permissions are declared in the manifest. This creates a transparency and governance gap: users and hosting platforms may treat the skill as lower-risk than it is, even though it can query sensitive cluster state and metadata over the network.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented primarily as a diagnostics/triage tool, but the documented interface also supports state-changing `kubectl` operations such as rollback, restart, scale, pod deletion, cordon, and uncordon via `--confirm-write`. That mismatch is dangerous because operators may approve or install the skill expecting read-only behavior, while it can alter production cluster state if prompted or socially engineered.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The testing guide explicitly exercises a write-capable path (`--confirm-write`) that performs `kubectl rollout undo`, confirming the skill can mutate cluster state despite being framed as triage/diagnostics. In a Kubernetes context, even 'safe' writes normalize operational changes through the tool and can be abused or expanded later, especially if users run it with broad credentials in real clusters.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documented `--confirm-write` interface allows cluster-changing commands, which exceeds the stated incident triage and diagnostics purpose. A generic write gateway in a kubectl-adjacent tool increases the chance of misuse, privilege abuse, or scope creep, because users may trust the tool as read-only while it can issue mutations against any cluster their kubeconfig can access.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script is presented as a read-only diagnostics/triage tool, but it also exposes a write path via --confirm-write that can execute mutating kubectl operations such as delete pod, scale, rollout restart/undo, cordon, and uncordon. In an agent skill context, this expands the trust boundary from passive inspection to active cluster modification, creating risk of unintended disruption or abuse if the skill is invoked with elevated privileges.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The confirm-write handler permits cluster-modifying commands that are not necessary for diagnostics, including deleting pods and changing node schedulability. Because the caller supplies the full kubectl command within a loose allowlist, the skill can be used operationally rather than diagnostically, increasing the chance of service disruption, rollback misuse, or destructive actions in production clusters.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
Although the code avoids shell eval and blocks some metacharacters, it still executes user-supplied kubectl commands after only partial validation. This is dangerous because arbitrary flags and arguments can still be passed to allowed verbs/resources, potentially targeting sensitive namespaces or altering more objects than intended, while the comment overstates the safety of the filter and may cause maintainers to underappreciate the residual risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal