| Server / tool | A untrusted | B sensitive | C external |
|---|---|---|---|
| kubernetes / kubectl_apply | · | · | ● |
| ↳ kubectl_delete | · | · | ● |
| ↳ kubectl_generic | · | · | · |
| ↳ kubectl_get | · | ● | · |
| ↳ kubectl_logs | · | ● | · |
| ↳ kubectl_scale | · | ● | ● |
Tool 'kubectl_generic' exposes code or command execution to the agent, so an injected instruction could run commands on the host.
✓ Sandbox execution, drop privileges, allow-list commands, and require human approval for any code-execution tool.
ASI05 · Unexpected Code Execution · confidence 70%
This server's toolset already holds two trifecta axes (B:sensitive-access, C:external-comms). Adding a tool with the third axis — or connecting it alongside another server that provides it — would complete the lethal trifecta.
✓ Break the trifecta: remove one axis, split capabilities across isolated agents, or require human approval for the state-changing / external-comms step.
ASI02 · Tool Misuse and Exploitation · confidence 60%