Skills
skills/deepparser/skills/aws-s3-eks/Gen Agent Trust Hub

aws-s3-eks

Pass

Audited by Gen Agent Trust Hub on Mar 10, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill contains several shell scripts (scripts/create-s3-bucket.sh and scripts/setup-pod-identity.sh) that execute system-level commands using aws, kubectl, and eksctl based on user-provided arguments.
  • Evidence: The scripts use set -euo pipefail and include a --dry-run mode, which are good practices, but they still represent a significant command execution surface for AWS infrastructure and Kubernetes clusters.
  • [DATA_EXFILTRATION]: The script scripts/create-s3-bucket.sh includes an option (--public-read) that explicitly applies a public-read policy to the created S3 bucket, potentially exposing data to the public internet if misconfigured.
  • Evidence: Line 158 in scripts/create-s3-bucket.sh applies a policy allowing s3:GetObject to Principal: "*" when the --public-read flag is used.
  • [SAFE]: The skill promotes the use of EKS Pod Identity, which is a secure alternative to static IAM credentials or IRSA (IAM Roles for Service Accounts) with OIDC providers.
  • Evidence: The documentation in SKILL.md and references/openapi.yaml correctly explains how AWS_CONTAINER_CREDENTIALS_FULL_URI is used by the AWS SDK to retrieve temporary credentials, reducing the risk of hardcoded secret exposure.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 10, 2026, 07:02 AM