Kubernaut Agent Security Flaw: Untrusted Data Flows Directly Into LLM, Enabling Prompt Injection

The Kubernaut Agent's core investigation pipeline is vulnerable to prompt injection attacks, as it processes untrusted content from multiple Kubernetes sources directly into its LLM context window without any sanitization or detection. This creates a direct path for attackers to manipulate the agent's reasoning and outputs. The exposure is systemic: anyone with standard RBAC permissions to deploy workloads, set resource annotations, create Events, or manage ConfigMaps can potentially inject malicious prompts through the very data the agent is designed to analyze.

The vulnerability stems from how the agent's tool results are fed into the LLM. Critical data sources like `kubectl logs` output, `kubectl describe` results, Prometheus query results, and AlertManager annotations all flow unchecked into the prompt context. For instance, an attacker who can deploy a pod can write crafted content to its stdout, which the agent will then ingest as a tool result. Similarly, anyone who can create or modify a ConfigMap or Secret can embed injection payloads that the agent will retrieve and process.

This flaw fundamentally undermines the security model of an agent designed to investigate potentially compromised environments. An attacker with initial foothold could not only evade detection but actively subvert the investigative tool itself, potentially causing it to generate false conclusions, execute unauthorized commands, or leak sensitive data. The lack of guardrails transforms every piece of untrusted cluster data into a potential attack vector against the agent's AI core, posing a significant risk to automated security and operational workflows in Kubernetes.