feat(rh-developer): add debug-scc and debug-rbac skills

[jordigilh]

Summary

• 2 new diagnostic skills in rh-developer/skills/:
  • debug-scc — Diagnoses OpenShift SCC violations blocking pod creation. Parses ReplicaSet FailedCreate events, identifies non-compliant securityContext fields (runAsUser, capabilities.add, allowPrivilegeEscalation), checks ServiceAccount SCC bindings, and offers three fix paths (patch securityContext, grant SCC binding, or rollback).
  • debug-rbac — Diagnoses RBAC permission failures causing 403 Forbidden errors. Analyzes pod logs and readiness probes for FORBIDDEN errors, identifies missing Role/RoleBinding for ServiceAccounts, detects regression patterns where bindings are repeatedly removed, and creates targeted RBAC resources.
• Both skills follow the existing debug-pod/debug-network pattern: 6-step workflow with human-in-the-loop checkpoints, structured markdown output tables, and clear "WAIT for user confirmation" gates at each step
• Diagnostic patterns are backed by validated golden transcripts from Kubernaut demo scenarios:
  • scc-violation-sccviolationpodblocked.json — 0.97 confidence RCA with full causal chain and due diligence
  • rbac-failure-rbacpolicydenied.json — 0.90 confidence RCA with regression detection (3 prior remediation attempts)
• CLAUDE.md updated with intent routing entries and skill chaining paths for both skills
• collection.yaml / collection.json updated with skill registrations, summaries, and decision guide entries

Motivation

The existing debug skill set covers pods, builds, networks, containers, pipelines, and RHEL hosts — but has no dedicated skills for two of the most common OpenShift-specific failure modes: SCC admission violations and RBAC permission denials. These are distinct from generic pod failures (debug-pod) because they require parsing OpenShift-specific error messages (SCC rejection enumerations, API 403s) and checking OpenShift-specific resources (SecurityContextConstraints, RoleBindings). The golden transcripts from Kubernaut's automated investigation runs validate that the diagnostic patterns in these skills match real-world investigation workflows.

Test plan

• make validate passes cleanly (structure + collection compliance)
• Both SKILL.md files follow existing frontmatter schema (name, description, model, color, metadata.user_invocable)
• Workflow steps match existing debug skill patterns (6 steps, WAIT checkpoints, markdown tables)
• MCP tool references use openshift server (resources_get, resources_list, pod_list, pod_logs, events_list)
• CLAUDE.md intent routing entries are consistent with existing format
• collection.yaml and collection.json both register the new skills
• Golden transcript links resolve to actual files on GitHub

Made with Cursor

[dmartinol]

/skill-security-scan

[dmartinol]

/skill-code-review

[github-actions]

Gemini Code Review

📝 Review details

1. Summary

This PR introduces two highly valuable debugging skills to the rh-developer pack: /debug-scc (for Security Context Constraint violations) and /debug-rbac (for Role-Based Access Control issues). It correctly updates the pack's CLAUDE.md intent routing and skill chaining, and properly registers the new skills in the .catalog/ files.

2. Project Rules Compliance

While the content and diagnostic logic of these skills are excellent, there are several structural violations of SKILL_DESIGN_PRINCIPLES.md that need to be addressed:

• ❌ Section Ordering: In both debug-rbac/SKILL.md and debug-scc/SKILL.md, the ## Critical: Human-in-the-Loop Requirements section is placed after ## Prerequisites. According to Principle Rh virt/snapshots skills #7, it must be placed before ## Prerequisites.
• ❌ Prerequisites Section Content: Both skills have a brief ## Prerequisites section that fails to meet Principle Rh virt/snapshots skills #7 and Rh developer/troubleshooting #8. They are missing the mandatory subsections:
  • **Required MCP Servers:**
  • **Required MCP Tools:**
  • **Verification Steps:**
  • **Human Notification Protocol:**
  • **Security:** Never display credential values.
• ❌ Workflow Step Formatting: Principle Openshift virtualizaiton agent for rh-virt #2 and Rh virt/snapshots skills #7 dictate a strict format for Workflow steps to ensure first-attempt success. Both skills currently use a conversational description (e.g., "Use kubernetes MCP pod_list to find pods..."). You must use the explicit format for each step that calls a tool:

  **MCP Tool**: `tool_name` (from server-name)
  **Parameters**:
  - `param`: "value" (type, constraints)
  **Expected Output**: [Description]
  **Error Handling**:
  - If [condition]: [resolution]

• ❌ Dependencies Section Content: Principle Openshift Administrator package #5 requires a ### Required MCP Tools subsection under ## Dependencies. Both skills omit this entirely, only listing ### Required MCP Servers.
• ⚠️ Build Reminder: Since you added new skills and updated the catalog, please remember to run make validate locally to ensure the linter and collection compliance checks pass.

3. Code Quality Issues

• Workflow Execution vs. Output: In your workflow steps, you have provided excellent markdown templates for what the AI should output to the user. However, because the strict **MCP Tool** / **Parameters** blocks are missing, the AI might hallucinate the tool parameters or fail to handle errors gracefully before generating that output. Wrapping your current logic in the required structure will make the skills much more reliable.

4. Suggestions

• Add Example Usage: Principle Rh virt/snapshots skills #7 recommends adding an ## Example Usage section at the very end of the skill file showing a sample user query and the skill's response. This helps the AI understand the expected interaction flow.
• Document Consultation: Both skills reference docs/debugging-patterns.md in their Dependencies. If the AI should actually read this file during the workflow, you should add a Document Consultation block to Step 1 (as per Principle Add Red Hat Developer collection with Containerize & Deploy workflow #1). If it's just for human reference, it's fine as-is in the Dependencies section.

5. Verdict

REQUEST_CHANGES — The diagnostic logic is fantastic, but the skill files need to be updated to comply with the mandatory structural requirements (Section Ordering, Prerequisites format, Workflow step format, and Dependencies format) defined in SKILL_DESIGN_PRINCIPLES.md.

---

Workflow run

[github-actions]

❌ Skill Security Scan

📋 rh-developer

Agent Skills Security Scan Report

Timestamp: 2026-05-07T07:11:09.443498+00:00

Summary

• Total Skills Scanned: 16
• Safe Skills: 13
• Total Findings: 43

Findings by Severity

• Critical: 2
• High: 3
• Medium: 7
• Low: 15
• Info: 16

Skill Results

---

[OK] debug-rbac

• Max Severity: LOW

• Findings: 2

• Directory: /home/runner/work/agentic-collections/agentic-collections/rh-developer/skills/debug-rbac

  [LOW] Missing allowed-tools Declaration in Manifest

  Severity: LOW
  Category: skill_discovery_abuse
  Rule ID: LLM_SKILL_DISCOVERY_ABUSE
  Location: SKILL.md

  Description: The skill's manifest (SKILL.md frontmatter) does not specify the allowed-tools field. While this field is optional, declaring it provides an explicit security boundary for the agent's capabilities and is a recommended security best practice. Without this declaration, there are no manifest-level restrictions on which tools the agent can use when executing this skill.

  Code Snippet:

  allowed-tools: Not specified
  

  Remediation: Add an allowed-tools key to the SKILL.md frontmatter, listing the specific agent tools required for the skill's operation (e.g., Bash, Python, Read, Write). This enforces the principle of least privilege at the skill manifest level.

  [INFO] Skill does not specify a license

  Severity: INFO
  Category: policy_violation
  Rule ID: MANIFEST_MISSING_LICENSE
  Location: SKILL.md

  Description: Skill manifest does not include a 'license' field. Specifying a license helps users understand usage terms.

  Remediation: Add 'license' field to SKILL.md frontmatter (e.g., MIT, Apache-2.0)

---

[FAIL] recommend-image

• Max Severity: HIGH

• Findings: 5

• Directory: /home/runner/work/agentic-collections/agentic-collections/rh-developer/skills/recommend-image

  [HIGH] Indirect Prompt Injection via Transitive Trust in External Documents

  Severity: HIGH
  Category: prompt_injection
  Rule ID: LLM_PROMPT_INJECTION
  Location: SKILL.md

  Description: The skill's core logic, including scoring matrices and installation prerequisites, is defined in documents located outside the skill package (e.g., ../../docs/image-selection-criteria.md). The skill instructs the agent to trust and follow the content of these external files. An attacker who can modify these documents could inject malicious instructions, such as recommending a compromised container image or altering the skill's behavior, leading to a full compromise of the user's environment.

  Code Snippet:

  See [docs/image-selection-criteria.md](../../docs/image-selection-criteria.md) for comprehensive scoring matrices with weighted criteria by environment (production/development/edge/serverless).
  

  Remediation: All instructional content, data, and logic required for the skill's operation should be bundled within the skill's directory. Avoid referencing and trusting files using relative paths like ../../ that traverse outside the package.

  [MEDIUM] Protocol Manipulation through Capability Inflation and Keyword Baiting

  Severity: MEDIUM
  Category: skill_discovery_abuse
  Rule ID: LLM_SKILL_DISCOVERY_ABUSE
  Location: SKILL.md

  Description: The skill's description is excessively long and lists a large number of languages and frameworks (Node.js, Python, Java, Go, Ruby, .NET, PHP, Perl). This technique, known as keyword baiting, is designed to make the skill trigger for a very broad range of user queries, potentially causing it to be activated inappropriately and inflating its perceived capabilities.

  Code Snippet:

  description: Intelligently recommend the optimal S2I builder image or container base image for a project... Supports Node.js, Python, Java, Go, Ruby, .NET, PHP, and Perl on Red Hat UBI.
  

  Remediation: The skill description should be concise and accurately reflect its primary function. Avoid listing an exhaustive set of keywords; instead, describe the core capability in a way that allows the agent's discovery mechanism to function as intended.

  [MEDIUM] Supply Chain Risk via Guided Installation from External Source

  Severity: MEDIUM
  Category: supply_chain_attack
  Rule ID: LLM_SUPPLY_CHAIN_ATTACK
  Location: SKILL.md

  Description: The skill prompts the agent or user to install the skopeo dependency by following instructions from an external file (../../docs/prerequisites.md). This creates a supply chain vulnerability. If the external prerequisites.md file is compromised, it could instruct the user to download and execute a malicious binary, leading to arbitrary code execution.

  Code Snippet:

  Install skopeo: See [docs/prerequisites.md](../../docs/prerequisites.md) for installation commands by OS.
  

  Remediation: The skill should not prompt for the installation of external dependencies. Instead, it should state its prerequisites clearly and let the user manage their own environment securely. If installation guidance is necessary, it should be included directly within the skill's documentation, not referenced from an external, untrusted location.

  [LOW] Undeclared Tool Usage

  Severity: LOW
  Category: unauthorized_tool_use
  Rule ID: LLM_UNAUTHORIZED_TOOL_USE
  Location: SKILL.md

  Description: The skill's instructions require the execution of shell commands such as which skopeo and skopeo inspect, which necessitates the use of the Bash tool. However, the skill's manifest does not declare Bash in the allowed-tools field. This lack of declaration reduces transparency and bypasses a security control that could be used to restrict the skill's capabilities.

  Code Snippet:

  skopeo inspect docker://registry.access.redhat.com/ubi9/[candidate-image]
  

  Remediation: The skill's manifest should be updated to accurately reflect its tool usage by including Bash in the allowed-tools list (e.g., allowed-tools: [Bash]).

  [INFO] Skill does not specify a license

  Severity: INFO
  Category: policy_violation
  Rule ID: MANIFEST_MISSING_LICENSE
  Location: SKILL.md

  Description: Skill manifest does not include a 'license' field. Specifying a license helps users understand usage terms.

  Remediation: Add 'license' field to SKILL.md frontmatter (e.g., MIT, Apache-2.0)

---

[FAIL] debug-rhel

• Max Severity: CRITICAL

• Findings: 3

• Directory: /home/runner/work/agentic-collections/agentic-collections/rh-developer/skills/debug-rhel

  [CRITICAL] Command Injection via Unsanitized User Input in SSH Commands

  Severity: CRITICAL
  Category: command_injection
  Rule ID: LLM_COMMAND_INJECTION
  Location: SKILL.md

  Description: The skill constructs shell commands for remote execution via SSH by directly embedding un-sanitized user-provided input, such as the service name ([service]). A malicious user can provide a crafted service name like nonexistent.service; rm -rf / to execute arbitrary commands on the remote target host. Many of the commands are executed with sudo, allowing for privileged command execution and potential full system compromise.

  Code Snippet:

  ssh [user]@[host] "systemctl status [service] --no-pager -l"
  

  Remediation: All user-provided input must be strictly sanitized and validated before being used in shell command strings. Implement input validation to ensure variables like service names conform to expected formats (e.g., alphanumeric characters, dashes, underscores). Use shell-quoting or parameterized execution methods if available to prevent user input from being interpreted as commands.

  [LOW] Missing 'allowed-tools' Declaration in Manifest

  Severity: LOW
  Category: skill_discovery_abuse
  Rule ID: LLM_SKILL_DISCOVERY_ABUSE
  Location: SKILL.md

  Description: The skill's manifest (SKILL.md frontmatter) does not specify the allowed-tools field. The skill's instructions clearly indicate the use of the Bash tool for executing remote commands via SSH. While optional, declaring this field improves clarity and allows for automated policy enforcement.

  Code Snippet:

  allowed-tools: Not specified
  

  Remediation: Add the allowed-tools field to the YAML manifest to explicitly declare the tools used by the skill. In this case, it should be allowed-tools: [Bash].

  [INFO] Skill does not specify a license

  Severity: INFO
  Category: policy_violation
  Rule ID: MANIFEST_MISSING_LICENSE
  Location: SKILL.md

  Description: Skill manifest does not include a 'license' field. Specifying a license helps users understand usage terms.

  Remediation: Add 'license' field to SKILL.md frontmatter (e.g., MIT, Apache-2.0)

---

[OK] debug-build

• Max Severity: LOW

• Findings: 2

• Directory: /home/runner/work/agentic-collections/agentic-collections/rh-developer/skills/debug-build

  [LOW] Missing allowed-tools Declaration in Manifest

  Severity: LOW
  Category: skill_discovery_abuse
  Rule ID: LLM_SKILL_DISCOVERY_ABUSE
  Location: SKILL.md

  Description: The skill's manifest (SKILL.md frontmatter) does not specify the allowed-tools field. While this field is optional, its absence reduces clarity and bypasses a potential security control layer that could restrict the skill to a predefined set of agent capabilities. The skill's instructions imply the use of kubernetes and github MCPs, which should be explicitly declared.

  Code Snippet:

  allowed-tools: Not specified
  

  Remediation: Add an allowed-tools key to the SKILL.md frontmatter, listing the specific agent tools and MCPs the skill is intended to use (e.g., allowed-tools: [kubernetes, github]). This improves transparency and allows for policy enforcement.

  [INFO] Skill does not specify a license

  Severity: INFO
  Category: policy_violation
  Rule ID: MANIFEST_MISSING_LICENSE
  Location: SKILL.md

  Description: Skill manifest does not include a 'license' field. Specifying a license helps users understand usage terms.

  Remediation: Add 'license' field to SKILL.md frontmatter (e.g., MIT, Apache-2.0)

---

[OK] debug-scc

• Max Severity: LOW

• Findings: 2

• Directory: /home/runner/work/agentic-collections/agentic-collections/rh-developer/skills/debug-scc

  [LOW] Missing allowed-tools Declaration in Manifest

  Severity: LOW
  Category: skill_discovery_abuse
  Rule ID: LLM_SKILL_DISCOVERY_ABUSE
  Location: SKILL.md

  Description: The skill's manifest (SKILL.md frontmatter) does not specify the allowed-tools field. While this field is optional, its absence reduces transparency about the skill's intended interactions with agent tools, such as the Kubernetes/OpenShift MCP server. Declaring expected tools enhances security posture by providing a clear contract of the skill's behavior.

  Code Snippet:

  The YAML manifest in SKILL.md does not contain the 'allowed-tools' key.
  

  Remediation: Add an allowed-tools key to the SKILL.md frontmatter and list the required tools, such as the specific Kubernetes/OpenShift tool it is designed to interact with.

  [INFO] Skill does not specify a license

  Severity: INFO
  Category: policy_violation
  Rule ID: MANIFEST_MISSING_LICENSE
  Location: SKILL.md

  Description: Skill manifest does not include a 'license' field. Specifying a license helps users understand usage terms.

  Remediation: Add 'license' field to SKILL.md frontmatter (e.g., MIT, Apache-2.0)

---

[OK] detect-project

• Max Severity: LOW

• Findings: 2

• Directory: /home/runner/work/agentic-collections/agentic-collections/rh-developer/skills/detect-project

  [LOW] Missing allowed-tools Declaration in Manifest

  Severity: LOW
  Category: skill_discovery_abuse
  Rule ID: LLM_SKILL_DISCOVERY_ABUSE
  Location: SKILL.md

  Description: The SKILL.md manifest does not specify the allowed-tools field. While this field is optional, declaring it is a security best practice to explicitly define the skill's intended capabilities and limit its access to agent tools like file system operations or code execution. The skill's instructions imply the use of file system reading capabilities, which should be formally declared.

  Code Snippet:

  allowed-tools: Not specified
  

  Remediation: Add the allowed-tools key to the SKILL.md frontmatter to declare all tools the skill's instructions might cause the agent to use. For example: allowed-tools: [Read, Glob].

  [INFO] Skill does not specify a license

  Severity: INFO
  Category: policy_violation
  Rule ID: MANIFEST_MISSING_LICENSE
  Location: SKILL.md

  Description: Skill manifest does not include a 'license' field. Specifying a license helps users understand usage terms.

  Remediation: Add 'license' field to SKILL.md frontmatter (e.g., MIT, Apache-2.0)

---

[OK] validate-environment

• Max Severity: LOW

• Findings: 2

• Directory: /home/runner/work/agentic-collections/agentic-collections/rh-developer/skills/validate-environment

  [LOW] Undeclared Tool Usage in Manifest

  Severity: LOW
  Category: unauthorized_tool_use
  Rule ID: LLM_UNAUTHORIZED_TOOL_USE
  Location: SKILL.md

  Description: The skill's manifest (SKILL.md frontmatter) does not specify the 'allowed-tools' field. The skill's instructions clearly indicate the use of the Bash tool to execute a series of local diagnostic commands. While not a direct vulnerability, declaring tool usage is a security best practice for clarity and policy enforcement.

  Code Snippet:

  allowed-tools: Not specified
  

  Remediation: Add the 'allowed-tools' field to the YAML frontmatter in SKILL.md and explicitly list the tools used, for example: allowed-tools: [Bash].

  [INFO] Skill does not specify a license

  Severity: INFO
  Category: policy_violation
  Rule ID: MANIFEST_MISSING_LICENSE
  Location: SKILL.md

  Description: Skill manifest does not include a 'license' field. Specifying a license helps users understand usage terms.

  Remediation: Add 'license' field to SKILL.md frontmatter (e.g., MIT, Apache-2.0)

---

[OK] debug-container

• Max Severity: INFO

• Findings: 1

• Directory: /home/runner/work/agentic-collections/agentic-collections/rh-developer/skills/debug-container

  [INFO] Skill does not specify a license

  Severity: INFO
  Category: policy_violation
  Rule ID: MANIFEST_MISSING_LICENSE
  Location: SKILL.md

  Description: Skill manifest does not include a 'license' field. Specifying a license helps users understand usage terms.

  Remediation: Add 'license' field to SKILL.md frontmatter (e.g., MIT, Apache-2.0)

---

[OK] debug-pipeline

• Max Severity: LOW

• Findings: 2

• Directory: /home/runner/work/agentic-collections/agentic-collections/rh-developer/skills/debug-pipeline

  [LOW] Missing 'allowed-tools' Declaration in Manifest

  Severity: LOW
  Category: unauthorized_tool_use
  Rule ID: LLM_UNAUTHORIZED_TOOL_USE
  Location: SKILL.md

  Description: The skill's manifest (SKILL.md YAML frontmatter) does not declare the allowed-tools field. While this field is optional, its absence means there is no explicit policy defining which tools the skill is permitted to use. This reduces security transparency and prevents automated enforcement of tool usage restrictions.

  Code Snippet:

  allowed-tools: Not specified
  

  Remediation: Explicitly declare the tools the skill is intended to use in the manifest. Based on the instructions, this should include the Kubernetes/OpenShift MCP tools. For example: allowed-tools: [kubernetes].

  [INFO] Skill does not specify a license

  Severity: INFO
  Category: policy_violation
  Rule ID: MANIFEST_MISSING_LICENSE
  Location: SKILL.md

  Description: Skill manifest does not include a 'license' field. Specifying a license helps users understand usage terms.

  Remediation: Add 'license' field to SKILL.md frontmatter (e.g., MIT, Apache-2.0)

---

[FAIL] rhel-deploy

• Max Severity: CRITICAL

• Findings: 5

• Directory: /home/runner/work/agentic-collections/agentic-collections/rh-developer/skills/rhel-deploy

  [CRITICAL] Arbitrary Remote Code Execution via SSH and Sudo

  Severity: CRITICAL
  Category: command_injection
  Rule ID: LLM_COMMAND_INJECTION
  Location: SKILL.md

  Description: The skill is designed to execute commands with sudo privileges on a remote server via SSH, based on user instructions and project context. This provides a direct vector for arbitrary code execution, allowing a malicious user to compromise the target system by instructing the agent to run malicious commands, install backdoors, open firewall ports, or disable security controls.

  Code Snippet:

  ssh [target] "sudo dnf install -y [packages]"
  ssh [target] "sudo firewall-cmd --permanent --add-port=[port]/tcp"
  ssh [target] "sudo systemctl enable --now [app-name]"
  

  Remediation: This skill's core functionality is inherently dangerous and grants the agent remote administrative access. It should be heavily restricted to trusted users and environments. Implement strict validation and sanitization on all user-provided inputs (hostnames, packages, image names, ports). Avoid executing commands with sudo directly. Consider replacing direct command execution with a more structured API or a configuration management tool with pre-defined, safe actions.

  [HIGH] Supply Chain Vulnerability via Unvalidated Package and Image Installation

  Severity: HIGH
  Category: supply_chain_attack
  Rule ID: LLM_SUPPLY_CHAIN_ATTACK
  Location: SKILL.md

  Description: The skill installs system packages using dnf install and pulls container images using podman pull from external repositories. This exposes the target system to supply chain attacks, where a malicious user could specify a compromised package or container image, leading to the execution of malicious code on the server.

  Code Snippet:

  ssh [target] "sudo dnf install -y [packages]"
  ssh [target] "podman pull [image-reference]"
  

  Remediation: Do not allow users to specify arbitrary package or image names. Use a strict allowlist of approved packages and container images. Implement integrity checks (e.g., checksums, signatures) for all external resources before installation or deployment.

  [MEDIUM] Activation Priority Manipulation in Skill Description

  Severity: MEDIUM
  Category: skill_discovery_abuse
  Rule ID: LLM_SKILL_DISCOVERY_ABUSE
  Location: SKILL.md

  Description: The skill's description in the YAML manifest includes the directive 'CRITICAL: When user types /rhel-deploy, use THIS skill immediately.' This is an attempt to manipulate the agent's skill discovery and dispatching mechanism to prioritize its own activation, potentially overriding safer or more appropriate skills.

  Code Snippet:

  description: CRITICAL: When user types /rhel-deploy, use THIS skill immediately. This skill deploys applications to standalone RHEL/Fedora/CentOS systems...
  

  Remediation: Remove manipulative and directive language from the skill's name and description. The description should be a neutral, factual summary of the skill's capabilities, not an instruction to the agent's core logic.

  [LOW] Missing allowed-tools Declaration in Manifest

  Severity: LOW
  Category: unauthorized_tool_use
  Rule ID: LLM_UNAUTHORIZED_TOOL_USE
  Location: SKILL.md

  Description: The skill's manifest (SKILL.md frontmatter) does not declare the allowed-tools it requires, such as 'Bash'. While this is an optional field, its absence reduces transparency and bypasses potential security policies based on tool usage.

  Code Snippet:

  allowed-tools: Not specified
  

  Remediation: Explicitly declare all required tools in the allowed-tools list in the skill's manifest. For this skill, it should at least include 'Bash' to accurately reflect its reliance on shell command execution.

  [INFO] Skill does not specify a license

  Severity: INFO
  Category: policy_violation
  Rule ID: MANIFEST_MISSING_LICENSE
  Location: SKILL.md

  Description: Skill manifest does not include a 'license' field. Specifying a license helps users understand usage terms.

  Remediation: Add 'license' field to SKILL.md frontmatter (e.g., MIT, Apache-2.0)

---

[OK] helm-deploy

• Max Severity: MEDIUM

• Findings: 3

• Directory: /home/runner/work/agentic-collections/agentic-collections/rh-developer/skills/helm-deploy

  [MEDIUM] Misleading Capability due to Missing Template Files

  Severity: MEDIUM
  Category: skill_discovery_abuse
  Rule ID: LLM_SKILL_DISCOVERY_ABUSE
  Location: SKILL.md

  Description: The skill's instructions state it can create a new Helm chart by using templates from local directories (e.g., 'templates/helm/'). However, the analysis indicates that these essential template files are missing from the skill package. This makes the 'Create a new Helm chart' feature non-functional, meaning the skill's advertised capabilities in its description and instructions are misleading as it cannot perform a core advertised function.

  Code Snippet:

  The instructions state: 'Use templates from templates/helm/ to generate...'. The provided analysis confirms these files are not found.
  

  Remediation: Ensure all required template files are included in the skill package to match the documented functionality. Alternatively, remove the feature for creating new charts from the skill's description and instructions if it is not supported.

  [LOW] Missing 'allowed-tools' Declaration in Manifest

  Severity: LOW
  Category: skill_discovery_abuse
  Rule ID: LLM_SKILL_DISCOVERY_ABUSE
  Location: SKILL.md

  Description: The skill's manifest (SKILL.md frontmatter) does not specify the 'allowed-tools' field. This field is important for enforcing security boundaries and informing the user and the agent about the tools the skill is expected to use (e.g., Bash, Python, file system access). While the field is optional, its absence reduces security transparency and the ability to enforce tool-use restrictions.

  Code Snippet:

  YAML Manifest Details: - allowed-tools: Not specified
  

  Remediation: Explicitly declare the tools the skill requires in the SKILL.md frontmatter. Based on the instructions, this would likely include tools for file system access (Read, Write, Glob) and shell execution (Bash) to run Helm commands.

  [INFO] Skill does not specify a license

  Severity: INFO
  Category: policy_violation
  Rule ID: MANIFEST_MISSING_LICENSE
  Location: SKILL.md

  Description: Skill manifest does not include a 'license' field. Specifying a license helps users understand usage terms.

  Remediation: Add 'license' field to SKILL.md frontmatter (e.g., MIT, Apache-2.0)

---

[OK] debug-pod

• Max Severity: LOW

• Findings: 2

• Directory: /home/runner/work/agentic-collections/agentic-collections/rh-developer/skills/debug-pod

  [LOW] Missing allowed-tools Declaration in Manifest

  Severity: LOW
  Category: unauthorized_tool_use
  Rule ID: LLM_UNAUTHORIZED_TOOL_USE
  Location: SKILL.md

  Description: The SKILL.md manifest does not specify the allowed-tools field. While this field is optional, its absence means no explicit restrictions are placed on the tools the agent can use when executing this skill. This is a missed security best practice that could potentially allow for unintended tool usage if the agent's reasoning deviates from the instructions.

  Code Snippet:

  allowed-tools: Not specified
  

  Remediation: Add an allowed-tools key to the SKILL.md frontmatter and explicitly list the required tools or MCP servers, such as the openshift MCP server mentioned in the instructions. This enforces the principle of least privilege.

  [INFO] Skill does not specify a license

  Severity: INFO
  Category: policy_violation
  Rule ID: MANIFEST_MISSING_LICENSE
  Location: SKILL.md

  Description: Skill manifest does not include a 'license' field. Specifying a license helps users understand usage terms.

  Remediation: Add 'license' field to SKILL.md frontmatter (e.g., MIT, Apache-2.0)

---

[OK] s2i-build

• Max Severity: LOW

• Findings: 2

• Directory: /home/runner/work/agentic-collections/agentic-collections/rh-developer/skills/s2i-build

  [LOW] Missing allowed-tools Declaration in Manifest

  Severity: LOW
  Category: skill_discovery_abuse
  Rule ID: LLM_SKILL_DISCOVERY_ABUSE
  Location: SKILL.md

  Description: The skill's manifest does not specify the allowed-tools field. While this field is optional, its absence means there is no explicit declaration of which agent tools the skill is intended to use. This reduces the ability to enforce tool usage restrictions at the platform level and decreases the clarity of the skill's capabilities.

  Code Snippet:

  allowed-tools: Not specified
  

  Remediation: Explicitly declare the tools the skill requires in the allowed-tools field of the SKILL.md frontmatter. Based on the instructions, this would likely include a specific tool for interacting with Kubernetes/OpenShift clusters.

  [INFO] Skill does not specify a license

  Severity: INFO
  Category: policy_violation
  Rule ID: MANIFEST_MISSING_LICENSE
  Location: SKILL.md

  Description: Skill manifest does not include a 'license' field. Specifying a license helps users understand usage terms.

  Remediation: Add 'license' field to SKILL.md frontmatter (e.g., MIT, Apache-2.0)

---

[OK] debug-network

• Max Severity: INFO

• Findings: 1

• Directory: /home/runner/work/agentic-collections/agentic-collections/rh-developer/skills/debug-network

  [INFO] Skill does not specify a license

  Severity: INFO
  Category: policy_violation
  Rule ID: MANIFEST_MISSING_LICENSE
  Location: SKILL.md

  Description: Skill manifest does not include a 'license' field. Specifying a license helps users understand usage terms.

  Remediation: Add 'license' field to SKILL.md frontmatter (e.g., MIT, Apache-2.0)

---

[OK] deploy

• Max Severity: LOW

• Findings: 2

• Directory: /home/runner/work/agentic-collections/agentic-collections/rh-developer/skills/deploy

  [LOW] Skill is Non-Functional Due to Missing Template Files

  Severity: LOW
  Category: resource_abuse
  Rule ID: LLM_RESOURCE_ABUSE
  Location: SKILL.md

  Description: The skill's instructions require reading from several YAML template files (e.g., templates/deployment.yaml.template, templates/service.yaml.template) to generate Kubernetes manifests. These essential files are missing from the skill package, which will cause the skill to fail during execution. This renders the skill unusable and disrupts its availability.

  Code Snippet:

  The instructions repeatedly reference non-existent files, for example: "Read `templates/deployment.yaml.template` and substitute `${APP_NAME}`, `${NAMESPACE}`, `${PORT}`, `${REPLICAS}` with session state values."
  

  Remediation: Include all required template files within the skill package at the paths specified in the instructions to ensure the skill can function as designed.

  [INFO] Skill does not specify a license

  Severity: INFO
  Category: policy_violation
  Rule ID: MANIFEST_MISSING_LICENSE
  Location: SKILL.md

  Description: Skill manifest does not include a 'license' field. Specifying a license helps users understand usage terms.

  Remediation: Add 'license' field to SKILL.md frontmatter (e.g., MIT, Apache-2.0)

---

[OK] containerize-deploy

• Max Severity: LOW

• Findings: 3

• Directory: /home/runner/work/agentic-collections/agentic-collections/rh-developer/skills/containerize-deploy

  [LOW] Potential Disruption of Availability Due to Missing Files

  Severity: LOW
  Category: resource_abuse
  Rule ID: LLM_RESOURCE_ABUSE
  Location: SKILL.md

  Description: The skill's instructions reference a 'templates/helm/' directory for generating Helm charts, but this directory was not found in the provided package. This will cause the 'Create Helm chart' feature to fail at runtime, disrupting the availability of a key workflow.

  Code Snippet:

  If user chose "Create Helm chart":
  - Generate chart using templates from templates/helm/
  

  Remediation: Ensure that all referenced files and directories, such as 'templates/helm/', are included within the skill package. This prevents runtime errors and ensures all advertised features are functional.

  [LOW] Ambiguous Tool Permissions due to Missing Manifest Declaration

  Severity: LOW
  Category: skill_discovery_abuse
  Rule ID: LLM_SKILL_DISCOVERY_ABUSE
  Location: SKILL.md

  Description: The skill's manifest does not specify the 'allowed-tools' field. While this field is optional, its absence means the skill is not restricted in the tools it can use, creating ambiguity about its intended capabilities and permissions. This reduces clarity and could allow for unintended tool usage if the skill's logic were compromised.

  Code Snippet:

  allowed-tools: Not specified
  

  Remediation: To adhere to the principle of least privilege, explicitly declare the tools the skill is expected to use in the 'allowed-tools' field of the SKILL.md frontmatter. For an orchestrator skill, this should include the tools required by the sub-skills it invokes.

  [INFO] Skill does not specify a license

  Severity: INFO
  Category: policy_violation
  Rule ID: MANIFEST_MISSING_LICENSE
  Location: SKILL.md

  Description: Skill manifest does not include a 'license' field. Specifying a license helps users understand usage terms.

  Remediation: Add 'license' field to SKILL.md frontmatter (e.g., MIT, Apache-2.0)

---

Cross-Skill Findings

• Findings: 4

  [HIGH] Potential data relay attack pattern detected

  Severity: HIGH
  Category: data_exfiltration
  Rule ID: CROSS_SKILL_DATA_RELAY
  Location: (cross-skill analysis)

  Description: Skills appear to form a data relay chain. Collectors (debug-rbac, recommend-image, debug-rhel, debug-build, detect-project, validate-environment, debug-container, debug-pipeline, rhel-deploy, helm-deploy, debug-pod, s2i-build, debug-network, deploy, containerize-deploy) access sensitive data while exfiltrators (containerize-deploy) send data to external destinations. This pattern may indicate a coordinated attack.

  Remediation: Review these skills together to ensure they are not collaborating to exfiltrate sensitive data. Consider disabling one or both skills.

  [MEDIUM] Multiple skills reference the same external domain

  Severity: MEDIUM
  Category: data_exfiltration
  Rule ID: CROSS_SKILL_SHARED_URL
  Location: (cross-skill analysis)

  Description: Domain 'docs.openshift.com' is referenced by 2 skills: debug-rbac, debug-scc. Multiple skills pointing to the same external resource may indicate coordinated C2 or exfiltration.

  Remediation: Review why multiple skills reference this domain and ensure it is a legitimate, trusted resource.

  [MEDIUM] Multiple skills reference the same external domain

  Severity: MEDIUM
  Category: data_exfiltration
  Rule ID: CROSS_SKILL_SHARED_URL
  Location: (cross-skill analysis)

  Description: Domain '[route-host' is referenced by 3 skills: helm-deploy, debug-network, deploy. Multiple skills pointing to the same external resource may indicate coordinated C2 or exfiltration.

  Remediation: Review why multiple skills reference this domain and ensure it is a legitimate, trusted resource.

  [MEDIUM] Multiple skills reference the same external domain

  Severity: MEDIUM
  Category: data_exfiltration
  Rule ID: CROSS_SKILL_SHARED_URL
  Location: (cross-skill analysis)

  Description: Domain '[app-name' is referenced by 2 skills: deploy, containerize-deploy. Multiple skills pointing to the same external resource may indicate coordinated C2 or exfiltration.

  Remediation: Review why multiple skills reference this domain and ensure it is a legitimate, trusted resource.

Workflow run

[dmartinol]

Pls rebase

[jordigilh]

Pls rebase

done :)

[r2dedios]

Hi @jordigilh as we discussed, I created a PR updating the configuration of the MCP servers in the rh-developer package.

Please get this changes and test:
1º Installation of this package works correctly
2º MCPs start correctly with the new config
3º The skills you're contributing can access and use the MCP server and its tools as expected.

Just validating it works normally after the MCP config changes. Thanks in advance

[r2dedios]

@jordigilh the PR I sent you with the MCP config changes was merged. Now you can rebase and test.

[jordigilh]

@r2dedios rebased and tested against the merged MCP config changes from PR #93. Results:

1. MCP server starts correctly with the new pinned image (quay.io/ecosystem-appeng/openshift-mcp-server@sha256:3531cb78...)
2. tools/list returns 34 tools — all tool names referenced in debug-scc and debug-rbac are present:
   • resources_get ✅
   • resources_list ✅
   • events_list ✅
   • pods_list ✅
   • pods_list_in_namespace ✅
   • pods_log ✅
3. allowed-tools frontmatter matches the live server output

Tested locally using a Kind cluster + podman with the exact container args from mcps.json. Also just rebased onto latest main.