k3s-deploy Security Report — Low Risk | ClawSafe

28 /100

k3s-deploy

自动化部署 K3s Kubernetes 集群到多台 Linux 服务器

A legitimate K3s cluster deployment tool with documented remote SSH execution and shell capabilities, but with weak credential handling patterns (passwords as CLI arguments) and an undeclared `curl|sh` remote script execution pattern.

Skill Namek3s-deploy

Duration54.0s

Enginepi

✓

Safe to install

Accept for use but replace password-based SSH with key-based auth; document the `curl -sfL https://get.k3s.io | sh` behavior in SKILL.md; avoid passing credentials via command-line arguments.

Findings 5 items

Severity	Finding	Location
Medium	Undeclared `curl\|sh` remote script execution Doc Mismatch SKILL.md examples show only CLI flag-based usage (`./scripts/deploy-k3s.sh --master ...`), but the actual implementation executes `curl -sfL https://get.k3s.io \| sh` on remote servers. This remote script download pattern is not mentioned in documentation. `ssh_exec $host $user $pass "curl -sfL https://get.k3s.io \| sh -s - server ..."` → Document the `curl -sfL https://get.k3s.io \| sh` execution pattern in SKILL.md and clarify that the script installs K3s by fetching and running the official installer script from get.k3s.io.	`scripts/deploy-k3s.sh:98`
Medium	Credentials passed via command-line arguments Credential Theft SSH passwords are provided as CLI arguments (--masters-pass, --workers-pass). These appear in /proc/*/cmdline, ps output, and shell history, making them visible to other processes and log analysis tools. `--masters-pass) MASTER_PASS="$2"; shift 2 ;;` → Use SSH key-based authentication instead of password-based auth, or prompt for passwords interactively using sshpass -p in a non-echoing manner, or use environment variables with proper scoping.	`scripts/deploy-k3s.sh:24`
Low	K3s cluster token written to world-readable temp file Data Exfil The K3s cluster join token (node-token) is fetched from the remote master and written to /tmp/k3s-token.txt, then read back to join worker nodes. This file is stored with default permissions. `echo "$token" > /tmp/k3s-token.txt` → Use a protected temp file (e.g., with restrictive permissions via chmod 600) or pass the token through a subprocess variable rather than writing to disk.	`scripts/deploy-k3s.sh:105`
Low	Modifies /etc/fstab and /etc/cni/net.d on remote systems Priv Escalation The script modifies /etc/fstab (disabling swap) and writes CNI configs to /etc/cni/net.d/ on remote servers via SSH. These are privileged operations that affect system configuration. `ssh_exec $host $user $pass "swapoff -a && sed -i '/ swap / s/^$.*$$/#\1/g' /etc/fstab"` → These operations are legitimate for K3s installation but should be clearly documented so operators understand the system-level changes being made.	`scripts/deploy-k3s.sh:88`
Info	Remote script fetched from external URL without integrity check Supply Chain The K3s installer script is fetched from https://get.k3s.io using curl without signature verification or version pinning. While get.k3s.io is the official source, the script content is not verified before execution. `curl -sfL https://get.k3s.io \| sh -s - server` → Consider downloading the K3s binary directly from the GitHub releases with a pinned version and SHA256 checksum verification before execution.	`scripts/deploy-k3s.sh:98`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares remote SSH deployment; scripts/deploy-k3s.sh:59-61 execute arb…
Network	`NONE`	`READ`	✓ Aligned	scripts/deploy-k3s.sh:98 `curl -sfL https://get.k3s.io` fetches K3s installer; i…
Filesystem	`NONE`	`WRITE`	✓ Aligned	scripts/deploy-k3s.sh:109 writes kubeconfig to ~/.kube/config; line 254 writes C…
Environment	`NONE`	`READ`	✓ Aligned	scripts/deploy-k3s.sh:105 reads K3S_TOKEN from remote /var/lib/rancher/k3s/serve…
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation found
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser access
Database	`NONE`	`NONE`	—	No database access

1 Critical 5 findings

💀

Critical Dangerous Command 危险 Shell 命令

curl -sfL https://get.k3s.io | sh

scripts/deploy-k3s.sh:98

🔗

Medium External URL 外部 URL

https://docker.mirrors.ustc.edu.cn

references/troubleshooting.md:224

🔗

Medium External URL 外部 URL

https://hub-mirror.c.163.com

references/troubleshooting.md:225

🔗

Medium External URL 外部 URL

https://get.k3s.io

scripts/deploy-k3s.sh:98

🔗

Medium External URL 外部 URL

https://$MASTER_IP:6443

scripts/deploy-k3s.sh:135

File Tree

4 files · 20.3 KB · 867 lines

Shell 2f · 472L Markdown 2f · 395L

├─ ▾ 📁 references

│ └─ 📝 troubleshooting.md Markdown 292L · 5.7 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 deploy-k3s.sh Shell 439L · 11.2 KB

│ └─ 🔧 pull-images.sh Shell 33L · 990 B

└─ 📝 SKILL.md Markdown 103L · 2.5 KB

Security Positives

✓ No obfuscation or base64-encoded commands detected

✓ No credential exfiltration or C2 communication patterns

✓ No access to ~/.ssh, ~/.aws, or other credential storage paths

✓ No supply_chain typosquatting or malicious dependencies (no package manager files)

✓ No prompt injection or hidden instructions in comments

✓ All shell operations are directly related to the documented K3s deployment purpose

✓ Uses sshpass for SSH which is a legitimate deployment tool

✓ Image sources use known Chinese cloud registries (Huawei Cloud, Alibaba Cloud) appropriate for the deployment region

Scan Report

Findings 5 items

File Tree

Security Positives