skills/mukul975/anthropic-cybersecurity-skills/implementing-aws-config-rules-for-compliance/Gen Agent Trust Hub
implementing-aws-config-rules-for-compliance
Pass
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides numerous shell command examples and a Python script using the boto3 SDK to programmatically modify AWS account configurations. Evidence includes shell commands in SKILL.md for creating S3 buckets, starting configuration recorders, and deploying Config rules. The scripts/agent.py script executes put_config_rule and put_remediation_configurations which alter the state of the target AWS environment.
- [DATA_EXFILTRATION]: The skill gathers configuration metadata from AWS resources to evaluate compliance status. The scripts/agent.py script collects resource IDs, types, and compliance annotations via get_compliance_details_by_config_rule. The tool provides functionality to export this aggregated compliance data to a local JSON file using the --output argument.
- [PROMPT_INJECTION]: The skill processes potentially untrusted metadata from external AWS resources (e.g., EC2 tags and configuration items) as part of its compliance evaluation logic. Ingestion points: scripts/agent.py reads compliance details and SKILL.md defines a Lambda function that processes invokingEvent data. Boundary markers: No specific delimiters or safety warnings are used to wrap external data in the code or documentation. Capability inventory: The skill can modify cloud configurations and write data to the local filesystem. Sanitization: No evidence of sanitization or validation of the ingested resource metadata was found in the provided scripts.
Audit Metadata