Skills
skills/aws-samples/review-and-assessment-powered-by-intelligent-documentation/deploy-cdk-stack/Gen Agent Trust Hub

deploy-cdk-stack

Warn

Audited by Gen Agent Trust Hub on Apr 1, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses eval to execute a command string fetched from an AWS CloudFormation stack output (DeployMigrationCommand). This represents a command injection risk as it executes arbitrary strings retrieved from a remote environment without sanitization.
  • Evidence: MIGRATION_COMMAND=$(aws cloudformation describe-stacks ... --query "Stacks[0].Outputs[?OutputKey=='DeployMigrationCommand'].OutputValue" ...); eval $MIGRATION_COMMAND in SKILL.md.
  • [COMMAND_EXECUTION]: Deployment commands use the --require-approval never flag, which bypasses the built-in AWS CDK security prompts for sensitive changes such as IAM policy modifications or resource deletions.
  • Evidence: npx cdk deploy --require-approval never --all in SKILL.md.
  • [EXTERNAL_DOWNLOADS]: The skill performs automated package installation using npm ci, which downloads dependencies from the external NPM registry at runtime.
  • Evidence: npm ci calls in backend and cdk directories in SKILL.md.
  • [REMOTE_CODE_EXECUTION]: By combining the retrieval of a remote string from AWS CloudFormation with the eval command, the skill creates a path for remote code execution if the cloud environment's stack outputs are manipulated.
  • Evidence: The database migration logic in SKILL.md.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 1, 2026, 01:38 AM