AIOps Agent

The name/description match the included source: collectors, anomaly detection, RCA, action planners, and executors (K8s, K8s-cluster, Ansible, HTTP) are present and coherent with an AIOps/SRE automation tool. However the skill registry metadata claims 'instruction-only' / no env vars required while the repo and SKILL.md clearly expect many external integrations (LLM keys, K8s, vector DB, webhooks, MySQL/Redis optional). That metadata mismatch is suspicious but could be sloppy publishing rather than malicious misdirection.

SKILL.md instructs cloning, pip installing dependencies, running docker-compose/make, and setting environment variables (OPENAI/ANTHROPIC keys, WEBHOOK_URL, KUBECONFIG, etc.). Those runtime actions are expected for this project, but they ask the agent/user to supply secrets and to run commands that start services which can perform cluster-level operations. The instructions do not declare the full set of env vars or warn explicitly about the high privileges needed for the executors. The SKILL.md does not try to read unrelated system files, but it assumes access to kubeconfigs and credentials which broaden the attack surface.

There is no remote-download install spec — the repo provides Docker Compose, a Dockerfile reference, requirements.txt, and standard Python install steps. No suspicious external URLs or archive extracts are present in the manifest. The lack of an official homepage, unknown source, and a direct Dockerfile/docker-compose workflow means users will build/run code locally; verify the Dockerfile and image builds before running.

Registry metadata lists no required env vars/credentials, but the SKILL.md and config files expect multiple sensitive keys and endpoints (ANTHROPIC/OPENAI API key, QDRANT URL/key, LARK app_secret/encrypt_key, KUBECONFIG or in-cluster permissions, MySQL/Redis credentials, webhooks, PagerDuty). Those are plausible for an AIOps agent, but the skill should have declared the required secrets up front — the omission is an inconsistency and increases risk. The number and sensitivity of variables are high relative to a simple 'skill' install.

The skill is not marked always:true, and model invocation is allowed (normal). The real concern is the code's capabilities: k8s cluster-level executors (node cordon/drain), PVC snapshot/expand, Ansible executor, and HTTP executors can perform destructive or high-impact operations if given credentials with broad privileges. If you run this agent or grant it cluster-admin / high-permission credentials, it could autonomously modify infrastructure. Treat autonomous execution + powerful execution backends as high-risk unless you enforce least-privilege and manual approvals.