security-scan
Pass
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads and installs several security tools from established sources.
- Fetches the
uvpackage manager installer fromastral.sh, a well-known technology service. - Downloads the Automated Security Helper (ASH) directly from the
awslabsGitHub repository, which is a trusted organization under the AWS umbrella. - Installs Python dependencies (such as
pip-licenses) and Node.js tools (such aslicense-checker) from official registries. - [COMMAND_EXECUTION]: The skill makes extensive use of shell commands to coordinate various security scanners.
- Executes system commands like
find,grep,awk, andsedfor file discovery and report processing. - Orchestrates container operations via
docker build,docker login, anddocker rmifor image scanning. - Performs infrastructure operations using
cdk synthandcdk deployas part of its verification workflow. - [REMOTE_CODE_EXECUTION]: The skill uses a 'curl piped to shell' pattern (
curl ... | sh) to install theuvtool. This is a common installation method for this well-known service and is used here in a transparent manner for environment setup. - [DATA_EXFILTRATION]: No evidence of unauthorized data exfiltration was found. The skill processes project metadata and source code for the purpose of generating local security reports. It interacts with AWS ECR for image registry access using standard AWS CLI authentication.
- [INDIRECT_PROMPT_INJECTION]: The skill has an ingestion surface as it reads and processes project files (like
README.md,package.json, and Dockerfiles) to generate an HTML report. The reporting script (generate-html-report.py) includes proper HTML escaping and sanitization for the extracted content, mitigating the risk of cross-site scripting (XSS) or prompt injection via processed data.
Audit Metadata