Skip to content

/audit-security

The /audit-security skill looks for over-privileged identities and workloads: ServiceAccounts with more access than they use, pods running as root or with host-level escapes, and bindings that grant cluster-wide power where a namespace-scoped role would do.

Run it without arguments for a full sweep, or name a workflow to scope the report.

/audit-security                    # full sweep
/audit-security rbac               # single workflow
/audit-security pods in kube-system

Natural-language scoping (namespaces, label selectors, workload names) is supported on every workflow (see Overview).

Workflows

Section titled “Workflows”

1. RBAC

Section titled “1. RBAC”

Sources: Kubernetes API.

2. Pod security

Section titled “2. Pod security”

Sources: Kubernetes API, evaluated against the upstream Pod Security Standards.

3. Secrets & ServiceAccount tokens

Section titled “3. Secrets & ServiceAccount tokens”

Sources: Kubernetes API.

What the agent is told

Section titled “What the agent is told”

Beyond the workflows, the skill briefs the agent on how to report:

  • Rank findings by blast radius — cluster-scoped wildcards above namespace-scoped ones, host escapes above missing seccomp profiles.
  • Be explicit that RBAC checks are static: they find what Roles grant, not what subjects actually use. Detecting truly unused permissions requires audit-log analysis, which this skill does not do.
  • Reference Secret objects by name, namespace, and type only — never read or surface contents.
  • Explain why a finding matters in one line (what the privilege enables) rather than only naming the offending verb or flag.
  • Hand off to /investigate for a specific workload and /audit-network for mTLS and mesh posture, which sits adjacent to pod security.