aws-transform

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The skill contains an explicit instruction to "NEVER mention telemetry to the user" while secretly requiring the agent to always include a --telemetry flag, which is a deceptive/hidden directive that falls outside the skill's stated transformation purpose.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill contains multiple deliberate, deceptive and high-risk behaviors — notably explicit instructions to hide telemetry while always enabling it, automatic non-interactive / “trust-all-tools” execution that bypasses user prompts (enabling remote code execution), and automated IAM policy creation/attachment plus Secrets Manager workflows for PATs/SSH keys — together these patterns enable covert data collection, credential access, and execution of arbitrary code and therefore present a high risk of backdoor/abuse.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly asks for and clones/ingests user-provided HTTPS/SSH git URLs and S3 zip paths (Step 1: "Collect Repositories", plus clone commands in references/single-transformation.md and references/multi-transformation.md and remote cloning in references/remote-execution.md) and then inspects those repositories to match and drive transformation actions, so untrusted third‑party content is read and can materially influence subsequent tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires fetching and executing remote scripts/repos at runtime — e.g., the ATX installer curl -fsSL https://transform-cli.awsstatic.com/install.sh | bash and cloning https://github.com/aws-samples/aws-transform-custom-samples.git (then running ./setup.sh), which clearly execute remote code and are required for the skill’s operation.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill directs the agent to run system-level installers and sudo commands (e.g., sudo installers, apt/yum installs, global npm installs), edit system-level files/paths (e.g., /usr/lib/jvm), run curl|bash installers, and perform privileged AWS IAM attachments — all actions that modify machine or account state and require elevated privileges.