amplify-workflow
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes user-controlled project files, such as
package.jsonand theamplify/directory, to determine development state and planning. - Ingestion points:
SKILL.mdreadspackage.jsonand theamplify/directory to understand the project state. - Boundary markers: There are no explicit delimiters or instructions to ignore embedded commands within the content of the ingested project files.
- Capability inventory: The skill possesses extensive capabilities, including executing shell scripts, AWS CLI commands, and package manager (npm) operations.
- Sanitization: The workflow does not specify any sanitization or validation logic for the data read from local project files before it influences the agent's decision-making process.
- [REMOTE_CODE_EXECUTION]: The skill dynamically retrieves instructional "SOPs" (Standard Operating Procedures) from an external
aws-mcpserver. These fetched SOPs, such asamplify-backend-implementationandamplify-deployment-guide, provide the primary logic and code-generation instructions followed by the agent. - [COMMAND_EXECUTION]: The skill executes a bundled shell script
scripts/prereq-check.shto validate the local environment and invokes system tools includingnpm,aws, and various framework-specific development servers. - [DATA_EXFILTRATION]: The prerequisite check script executes
aws sts get-caller-identity, which retrieves and exposes the user's AWS Account ID to the agent's processing context.
Audit Metadata