中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 28/100
上次扫描:17 小时前 重新扫描
28 /100
k3s-deploy
自动化部署 K3s Kubernetes 集群到多台 Linux 服务器
A legitimate K3s cluster deployment tool with documented remote SSH execution and shell capabilities, but with weak credential handling patterns (passwords as CLI arguments) and an undeclared `curl|sh` remote script execution pattern.
技能名称k3s-deploy
分析耗时54.0s
引擎pi
可以安装
Accept for use but replace password-based SSH with key-based auth; document the `curl -sfL https://get.k3s.io | sh` behavior in SKILL.md; avoid passing credentials via command-line arguments.

安全发现 5 项

严重性 安全发现 位置
中危
Undeclared `curl|sh` remote script execution 文档欺骗
SKILL.md examples show only CLI flag-based usage (`./scripts/deploy-k3s.sh --master ...`), but the actual implementation executes `curl -sfL https://get.k3s.io | sh` on remote servers. This remote script download pattern is not mentioned in documentation.
ssh_exec $host $user $pass "curl -sfL https://get.k3s.io | sh -s - server ..."
→ Document the `curl -sfL https://get.k3s.io | sh` execution pattern in SKILL.md and clarify that the script installs K3s by fetching and running the official installer script from get.k3s.io.
 scripts/deploy-k3s.sh:98
中危
Credentials passed via command-line arguments 凭证窃取
SSH passwords are provided as CLI arguments (--masters-pass, --workers-pass). These appear in /proc/*/cmdline, ps output, and shell history, making them visible to other processes and log analysis tools.
--masters-pass) MASTER_PASS="$2"; shift 2 ;;
→ Use SSH key-based authentication instead of password-based auth, or prompt for passwords interactively using sshpass -p in a non-echoing manner, or use environment variables with proper scoping.
 scripts/deploy-k3s.sh:24
低危
K3s cluster token written to world-readable temp file 数据外泄
The K3s cluster join token (node-token) is fetched from the remote master and written to /tmp/k3s-token.txt, then read back to join worker nodes. This file is stored with default permissions.
echo "$token" > /tmp/k3s-token.txt
→ Use a protected temp file (e.g., with restrictive permissions via chmod 600) or pass the token through a subprocess variable rather than writing to disk.
 scripts/deploy-k3s.sh:105
低危
Modifies /etc/fstab and /etc/cni/net.d on remote systems 权限提升
The script modifies /etc/fstab (disabling swap) and writes CNI configs to /etc/cni/net.d/ on remote servers via SSH. These are privileged operations that affect system configuration.
ssh_exec $host $user $pass "swapoff -a && sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab"
→ These operations are legitimate for K3s installation but should be clearly documented so operators understand the system-level changes being made.
 scripts/deploy-k3s.sh:88
提示
Remote script fetched from external URL without integrity check 供应链
The K3s installer script is fetched from https://get.k3s.io using curl without signature verification or version pinning. While get.k3s.io is the official source, the script content is not verified before execution.
curl -sfL https://get.k3s.io | sh -s - server
→ Consider downloading the K3s binary directly from the GitHub releases with a pinned version and SHA256 checksum verification before execution.
 scripts/deploy-k3s.sh:98
资源类型声明权限推断权限状态证据
命令执行 WRITE WRITE ✓ 一致 SKILL.md declares remote SSH deployment; scripts/deploy-k3s.sh:59-61 execute arb…
网络访问 NONE READ ✓ 一致 scripts/deploy-k3s.sh:98 `curl -sfL https://get.k3s.io` fetches K3s installer; i…
文件系统 NONE WRITE ✓ 一致 scripts/deploy-k3s.sh:109 writes kubeconfig to ~/.kube/config; line 254 writes C…
环境变量 NONE READ ✓ 一致 scripts/deploy-k3s.sh:105 reads K3S_TOKEN from remote /var/lib/rancher/k3s/serve…
技能调用 NONE NONE No cross-skill invocation found
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser access
数据库 NONE NONE No database access
1 严重 5 项发现
💀
严重 危险命令 危险 Shell 命令
curl -sfL https://get.k3s.io | sh
scripts/deploy-k3s.sh:98
🔗
中危 外部 URL 外部 URL
https://docker.mirrors.ustc.edu.cn
references/troubleshooting.md:224
🔗
中危 外部 URL 外部 URL
https://hub-mirror.c.163.com
references/troubleshooting.md:225
🔗
中危 外部 URL 外部 URL
https://get.k3s.io
scripts/deploy-k3s.sh:98
🔗
中危 外部 URL 外部 URL
https://$MASTER_IP:6443
scripts/deploy-k3s.sh:135

目录结构

4 文件 · 20.3 KB · 867 行
Shell 2f · 472L Markdown 2f · 395L
├─ 📁 references
│ └─ 📝 troubleshooting.md Markdown 292L · 5.7 KB
├─ 📁 scripts
│ ├─ 🔧 deploy-k3s.sh Shell 439L · 11.2 KB
│ └─ 🔧 pull-images.sh Shell 33L · 990 B
└─ 📝 SKILL.md Markdown 103L · 2.5 KB

安全亮点

✓ No obfuscation or base64-encoded commands detected
✓ No credential exfiltration or C2 communication patterns
✓ No access to ~/.ssh, ~/.aws, or other credential storage paths
✓ No supply_chain typosquatting or malicious dependencies (no package manager files)
✓ No prompt injection or hidden instructions in comments
✓ All shell operations are directly related to the documented K3s deployment purpose
✓ Uses sshpass for SSH which is a legitimate deployment tool
✓ Image sources use known Chinese cloud registries (Huawei Cloud, Alibaba Cloud) appropriate for the deployment region