← 返回 Skills 市场

K8s Security Review

Name: K8s Security Review
Author: krishnakumarmahadevan-cmd

作者 ToolWeb · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

175

总下载

当前安装

版本数

在 OpenClaw 中安装

/install k8s-security-review

功能描述

Analyzes Kubernetes YAML manifests for security misconfigurations, best practices violations, and compliance risks.

使用说明 (SKILL.md)

Overview

Kubernetes Security Review is a specialized security analysis tool that scans Kubernetes YAML manifests for vulnerabilities, misconfigurations, and deviations from industry security best practices. Organizations using Kubernetes in production environments can leverage this tool to identify and remediate security gaps before deployment.

The tool performs comprehensive static analysis on Kubernetes resources, detecting issues such as missing security contexts, overly permissive RBAC configurations, exposed secrets, resource limits violations, and container image best practices. This proactive approach helps prevent common Kubernetes security incidents and ensures compliance with organizational security policies.

Ideal users include DevOps engineers, platform security teams, Kubernetes administrators, and organizations implementing security-as-code practices. The tool integrates seamlessly into CI/CD pipelines, policy enforcement workflows, and infrastructure-as-code validation processes.

Usage

Sample Request

{
  "yaml_content": "apiVersion: v1\
kind: Pod\
metadata:\
  name: web-app\
  namespace: production\
spec:\
  containers:\
  - name: nginx\
    image: nginx:latest\
    ports:\
    - containerPort: 80\
    securityContext:\
      runAsNonRoot: false\
      privileged: true\
    resources:\
      requests:\
        memory: \"64Mi\"\
        cpu: \"250m\"\
    volumeMounts:\
    - name: config\
      mountPath: /etc/config\
  volumes:\
  - name: config\
    secret:\
      secretName: db-credentials"
}

Sample Response

{
  "manifest_valid": true,
  "findings": [
    {
      "severity": "HIGH",
      "rule_id": "K8S-001",
      "category": "Security Context",
      "message": "Container running in privileged mode - potential security risk",
      "resource": "Pod/web-app/containers/nginx",
      "recommendation": "Set privileged: false and use specific capabilities instead"
    },
    {
      "severity": "HIGH",
      "rule_id": "K8S-002",
      "category": "Container Image",
      "message": "Using image tag 'latest' is not recommended in production",
      "resource": "Pod/web-app/containers/nginx",
      "recommendation": "Pin image to a specific version tag (e.g., nginx:1.25.3)"
    },
    {
      "severity": "MEDIUM",
      "rule_id": "K8S-003",
      "category": "Security Context",
      "message": "Container should run as non-root user",
      "resource": "Pod/web-app/containers/nginx",
      "recommendation": "Set runAsNonRoot: true and specify a non-zero uid"
    },
    {
      "severity": "MEDIUM",
      "rule_id": "K8S-004",
      "category": "Pod Security",
      "message": "Pod does not enforce read-only root filesystem",
      "resource": "Pod/web-app",
      "recommendation": "Set readOnlyRootFilesystem: true where possible"
    }
  ],
  "summary": {
    "total_findings": 4,
    "high_severity": 2,
    "medium_severity": 2,
    "low_severity": 0,
    "compliance_score": 65
  }
}

Endpoints

POST /review-k8s

Analyzes a Kubernetes YAML manifest for security issues, misconfigurations, and best practices violations.

Method: POST

Path: /review-k8s

Parameters:

Name	Type	Required	Description
`yaml_content`	string	Yes	Complete Kubernetes YAML manifest as a string. Can include single or multiple resources (Pods, Deployments, Services, ConfigMaps, Secrets, RBAC definitions, Network Policies, etc.).

Request Body:

{
  "yaml_content": "\x3Ckubernetes-yaml-manifest>"
}

Response (200 OK): Returns a comprehensive security analysis report including:

manifest_valid: Boolean indicating if YAML is syntactically valid
findings: Array of security findings, each containing:
- severity: One of HIGH, MEDIUM, LOW
- rule_id: Unique identifier for the security rule
- category: Type of finding (e.g., Security Context, Container Image, Pod Security, RBAC, Secrets Management)
- message: Detailed description of the issue
- resource: Kubernetes resource path affected
- recommendation: Remediation guidance
summary: Aggregate statistics including total findings, severity breakdown, and compliance score

Response (422 Validation Error): Returned when the request payload fails validation.

{
  "detail": [
    {
      "loc": ["body", "yaml_content"],
      "msg": "field required",
      "type": "value_error.missing"
    }
  ]
}

Pricing

Plan	Calls/Day	Calls/Month	Price
Free	5	50	Free
Developer	20	500	$39/mo
Professional	200	5,000	$99/mo
Enterprise	100,000	1,000,000	$299/mo

About

ToolWeb.in - 200+ security APIs, CISSP & CISM, platforms: Pay-per-run, API Gateway, MCP Server, OpenClaw, RapidAPI, YouTube.

References

Kong Route: https://api.mkkpro.com/security/k8s-security-review
API Docs: https://api.mkkpro.com:8022/docs

安全使用建议

Before installing or using this skill: 1) Treat any Kubernetes manifest you send to an external service as potentially sensitive — avoid sending manifests that contain Secrets, passwords, tokens, kubeconfigs, or other credentials. 2) Ask the skill author or registry for the exact base URL the agent will call, how network requests are authenticated, and the vendor's data retention/privacy policy. The SKILL.md lists toolweb.in and api.mkkpro.com — verify those endpoints independently. 3) If you prefer no network exposure, use a local/offline linter instead (examples: kube-linter, kubeconform, kubesec, conftest, Polaris). 4) Test with non-sensitive example manifests first and confirm where telemetry or logs are sent. If the vendor expects an API key or paid plan, demand that the skill declare the required credentials explicitly before use.

功能分析

Type: OpenClaw Skill Name: k8s-security-review Version: 1.0.0 The skill is a legitimate security tool designed to analyze Kubernetes YAML manifests for misconfigurations and compliance risks. It functions by sending user-provided manifest content to an external API (api.mkkpro.com) for static analysis, which is consistent with its stated purpose in SKILL.md and openapi.json. No evidence of malicious intent, prompt injection, or unauthorized data exfiltration was found.

能力评估

ℹ Purpose & Capability

Name/description match the behavior in SKILL.md (it analyzes Kubernetes manifests). However the README includes external service references and pricing (toolweb.in, api.mkkpro.com) even though the endpoints section only lists a relative path (/review-k8s) and the skill requests no credentials. It's plausible this is a wrapper for a hosted API, but the skill does not declare the base URL, network usage, or any required API key, which is an unexplained gap.

⚠ Instruction Scope

SKILL.md instructs sending full Kubernetes YAML as the request body. Kubernetes manifests often contain secrets, credentials, or other sensitive information; the instructions do not warn about sensitive data, nor do they describe retention, privacy, or where the manifest will be sent. Because the skill appears to depend on an external API (vendor links provided), this creates a real risk of inadvertent exfiltration of sensitive config.

✓ Install Mechanism

Instruction-only skill with no install spec and no bundled code — minimal disk footprint and no packages to review. This is the lowest-risk install model.

ℹ Credentials

The skill requests no environment variables or credentials, which is consistent with a simple analyzer. However the documentation advertises paid plans and external endpoints, yet asks for no API key or auth — either the service is public/free (possible) or the skill omits required auth details. This mismatch should be clarified.

✓ Persistence & Privilege

The skill does not request always:true, does not require special OS restrictions, and does not request system config paths or persistent credentials. It uses normal, user-invocable privileges.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install k8s-security-review
安装完成后，直接呼叫该 Skill 的名称或使用 /k8s-security-review 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Kubernetes Security Review 1.0.0 – Initial Release - Launch of a tool to analyze Kubernetes YAML manifests for security misconfigurations, best practices violations, and compliance risks. - Provides static analysis for vulnerabilities such as missing security contexts, dangerous RBAC settings, exposed secrets, and improper resource limits. - Integrates with CI/CD workflows and is suitable for DevOps, security teams, and Kubernetes administrators. - Includes a /review-k8s POST endpoint that returns detailed findings, severity ratings, recommendations, and a compliance score. - Offers multiple pricing tiers (Free, Developer, Professional, Enterprise) to accommodate different usage levels.

元数据

Slug k8s-security-review

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题