The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill describes an agent architecture that ingests untrusted data from multiple sources (user input, session history, OpenAPI schemas) while possessing high-privilege capabilities, creating a significant surface for injection attacks.
Ingestion points: Untrusted data enters the agent context via request.get("input") in services/runtime/README.md, memory.add_event in services/memory/README.md, and through S3-hosted OpenAPI schemas in services/gateway/README.md.
Boundary markers: No explicit boundary markers or instruction-isolation delimiters are implemented in the provided agent code snippets.
Capability inventory: The skill provides instructions for arbitrary code execution in isolated sandboxes (services/code-interpreter/README.md) and outbound network requests to external APIs (services/gateway/README.md).
Sanitization: While README files suggest input sanitization as a best practice, the provided logic snippets do not demonstrate actual implementation of validation or filtering for untrusted content.
[Command Execution] (MEDIUM): The skill contains administrative shell scripts (services/gateway/deploy-template.sh, services/gateway/validate-deployment.sh) that execute complex command sequences including aws CLI, npm run build, and cdk deploy based on environment-provided variables.
[Dynamic Execution] (MEDIUM): The deployment script services/gateway/deploy-template.sh uses a dynamic environment loading pattern (export $(cat $ENV_FILE | xargs)) which could lead to unintended environment injection if the source file is manipulated by an attacker.
[External Downloads] (LOW): The skill references external package managers for installation (pip install bedrock-agentcore), which involves downloading code from remote registries. Since these target the trusted AWS ecosystem, the finding is downgraded per [TRUST-SCOPE-RULE].

aws-agentic-ai