aws-cdk
Pass
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- Command Execution: The skill utilizes AWS and CDK CLI tools to perform infrastructure operations. While these commands are powerful, they are used here as intended for cloud resource management within the AWS ecosystem.
- Sensitive Path Reference: The documentation references standard AWS credential storage locations like ~/.aws/credentials. This is used to guide users through troubleshooting authentication issues and is a common practice for AWS development tools.
- Elevation of Privilege Surface: Commands such as cdk bootstrap provision IAM roles with significant permissions. The skill mitigates risk by instructing the use of permissions boundaries and OIDC for secure, least-privileged access.
- Indirect Prompt Injection Surface: The agent ingests data from CloudFormation events and stack outputs which could theoretically be manipulated. However, the use of structured AWS CLI tools and CloudFormation schema validation provides a layer of protection. Ingestion points: CloudFormation event logs (troubleshooting-deployment.md); Boundary markers: Use of explicit CLI commands; Capability inventory: Shell execution of cdk and aws commands (SKILL.md); Sanitization: Relies on CloudFormation internal resource validation.
Audit Metadata