K3s Kubernetes Deploy

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real K3s deployment skill, but it gives broad remote server control while handling credentials, host trust, and cluster secrets with weak safeguards.

Install only if you intentionally want an agent to administer the listed Linux servers. Prefer SSH keys over password arguments, verify host keys before connecting, review or pin the K3s installer, protect kubeconfig and cluster tokens, and use this first in a lab or maintenance window with backups and a rollback plan.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script writes the cluster join token to /tmp/k3s-token.txt on the local machine, placing sensitive cluster credentials in a world-accessible temporary location on many systems. Any local user or process that reads this file before cleanup could join rogue nodes or facilitate further cluster compromise.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script copies the remote kubeconfig into ~/.kube/config and rewrites its server address away from loopback, increasing exposure of administrative cluster access material. Kubeconfig typically contains client credentials or bearer tokens, so making it more broadly usable expands the blast radius if the account or file is later accessed by an unintended party.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The script disables SSH host key verification with StrictHostKeyChecking=no while connecting to a remote host using supplied credentials. In a deployment tool that performs privileged remote actions, this enables man-in-the-middle interception or redirection to an attacker-controlled host, potentially exposing credentials and causing unauthorized commands to run on the wrong system.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger conditions are broad enough to match general mentions of K3s, Kubernetes deployment, cluster installation, or node joining, which can cause the skill to activate in situations where the user only wants advice rather than execution. For a skill that can drive remote deployment and configuration changes, over-broad triggering raises the risk of unintended high-impact actions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The workflow describes remote installation, network plugin deployment, and cluster changes but does not prominently warn users that these actions can alter system networking, disable safeguards, affect availability, and require privileged access. In deployment contexts involving multiple Linux servers and root credentials, missing warnings make accidental destructive use more likely.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The troubleshooting guide includes destructive operational commands such as deleting pods, deleting all pods on a node, and deleting a DaemonSet, but it does not warn about service disruption, workload impact, or the need to verify the target before execution. In an automation/deployment skill for K3s, users may copy-paste these commands during incident response, increasing the chance of accidental outage or cascading cluster instability.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The guide overwrites /etc/cni/net.d/10-flannel.conflist using shell redirection, which can silently replace an existing working CNI configuration. On Kubernetes nodes, clobbering network configuration can break pod networking, prolong NotReady states, or make recovery harder if the original config is lost.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The document replaces /etc/docker/daemon.json wholesale with a new heredoc, which may erase existing daemon settings such as insecure registries, storage driver options, proxies, or logging configuration. In a cluster deployment context, this can break image pulls, container runtime behavior, or compliance-related settings across nodes.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script accepts plaintext SSH passwords as command-line arguments and uses password-based automation via sshpass. Command-line secrets can be exposed through shell history, process listings, logs, and orchestration tooling, making credential theft significantly easier.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Writing the sensitive cluster token to a predictable file under /tmp creates a local secret exposure risk. Temporary directories are commonly shared, monitored, or recoverable, so this can leak credentials beyond the intended deployment flow.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This is substantively the same security issue: SSH identity validation is turned off without warning or justification, so the operator may assume the remote endpoint is authenticated when it is not. Because the skill is meant for multi-node K3s deployment and executes docker commands remotely, a spoofed SSH endpoint could capture secrets or receive cluster bootstrapping actions intended for real infrastructure.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal