Back to skill

Security audit

K8s

Security checks across malware telemetry and agentic risk

Overview

This Kubernetes skill is purpose-aligned but needs Review because it enables broad cluster-changing kubectl access while downloading and caching sensitive kubeconfigs and a kubectl binary with limited guardrails.

Install only if you trust the publisher and intend to let an agent run kubectl against clusters you specify. Prefer a local vetted kubeconfig and a preinstalled official kubectl binary, avoid --insecure except in controlled self-signed environments, review every mutating command before execution, and periodically remove cached kubeconfigs if used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly enables running arbitrary kubectl operations, including destructive actions like apply, delete, exec, and port-forward, against arbitrary clusters, but the description does not prominently warn users about the potential for cluster-wide modification or disruption. In a high-trust agent setting, this omission can mislead users into invoking dangerous operations without appreciating the blast radius.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill advertises automatic download of remote kubeconfigs and automatic installation of kubectl from a mirror, but does not clearly warn that these actions involve trusting remote infrastructure and handling sensitive credentials. Because kubeconfigs often contain cluster credentials or exec-based auth configuration, downloading and caching them without a strong trust/privacy warning increases the risk of credential exposure or use of malicious configuration.

Credential Access

High
Category
Privilege Escalation
Content
|------|---------|-------------|
| `--kubeconfig <path>` | `KUBECONFIG_PATH` | Local kubeconfig file path. |
| `--kubeconfig-url <url>` | `KUBECONFIG_URL` | Remote kubeconfig URL (http/https). Downloaded once and cached. |
| `--cache-dir <dir>` | `K8S_SKILL_CACHE_DIR` | Cache directory for downloaded kubeconfigs and kubectl binary. Defaults to `$HOME/.cache/k8s-skill`. |
| `--refresh` | - | Force re-download of the remote kubeconfig even if cached. |
| `--kubectl <path>` | `KUBECTL_BIN` | Use a specific kubectl binary instead of auto-detect/install. |
| `--insecure` | - | Pass `-k` to `curl` when downloading the kubeconfig (use only for trusted self-signed endpoints). |
Confidence
91% confidence
Finding
kubeconfig

Credential Access

High
Category
Privilege Escalation
Content
## Behavior Notes

- **kubectl auto-install:** When `kubectl` is missing and no `--kubectl`/`KUBECTL_BIN` override is given, the wrapper downloads a stable `kubectl` binary for the current OS/arch from the DaoCloud mirror (`https://files.m.daocloud.io/dl.k8s.io/...`) and caches it under `<cache-dir>/bin/kubectl`. The cache directory is added to `PATH` for the duration of the command.
- **Kubeconfig caching:** Remote kubeconfigs are hashed by URL (sha256) and stored at `<cache-dir>/kubeconfigs/<hash>.yaml`. Use `--refresh` to bypass the cache.
- **Secrets:** Downloaded kubeconfigs are written with `chmod 600`. Avoid logging the file contents.
- **Cross-platform:** The wrapper auto-detects Linux/macOS and amd64/arm64 for kubectl downloads.
- **Errors:** If both kubeconfig sources are missing the script exits with a clear error. Curl/network errors are surfaced verbatim.
Confidence
94% confidence
Finding
Kubeconfig

Credential Access

High
Category
Privilege Escalation
Content
## Behavior Notes

- **kubectl auto-install:** When `kubectl` is missing and no `--kubectl`/`KUBECTL_BIN` override is given, the wrapper downloads a stable `kubectl` binary for the current OS/arch from the DaoCloud mirror (`https://files.m.daocloud.io/dl.k8s.io/...`) and caches it under `<cache-dir>/bin/kubectl`. The cache directory is added to `PATH` for the duration of the command.
- **Kubeconfig caching:** Remote kubeconfigs are hashed by URL (sha256) and stored at `<cache-dir>/kubeconfigs/<hash>.yaml`. Use `--refresh` to bypass the cache.
- **Secrets:** Downloaded kubeconfigs are written with `chmod 600`. Avoid logging the file contents.
- **Cross-platform:** The wrapper auto-detects Linux/macOS and amd64/arm64 for kubectl downloads.
- **Errors:** If both kubeconfig sources are missing the script exits with a clear error. Curl/network errors are surfaced verbatim.
Confidence
94% confidence
Finding
kubeconfig

Credential Access

High
Category
Privilege Escalation
Content
## Behavior Notes

- **kubectl auto-install:** When `kubectl` is missing and no `--kubectl`/`KUBECTL_BIN` override is given, the wrapper downloads a stable `kubectl` binary for the current OS/arch from the DaoCloud mirror (`https://files.m.daocloud.io/dl.k8s.io/...`) and caches it under `<cache-dir>/bin/kubectl`. The cache directory is added to `PATH` for the duration of the command.
- **Kubeconfig caching:** Remote kubeconfigs are hashed by URL (sha256) and stored at `<cache-dir>/kubeconfigs/<hash>.yaml`. Use `--refresh` to bypass the cache.
- **Secrets:** Downloaded kubeconfigs are written with `chmod 600`. Avoid logging the file contents.
- **Cross-platform:** The wrapper auto-detects Linux/macOS and amd64/arm64 for kubectl downloads.
- **Errors:** If both kubeconfig sources are missing the script exits with a clear error. Curl/network errors are surfaced verbatim.
Confidence
94% confidence
Finding
kubeconfig

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.