The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from an AWS environment.
Ingestion points: The script scripts/agent.py retrieves function names, runtime metadata, and IAM policy documents via boto3 calls (list_functions, get_role_policy).
Boundary markers: There are no boundary markers or explicit instructions provided to the agent to disregard instructions embedded within the retrieved cloud metadata.
Capability inventory: The skill provides instructions and capabilities to create and modify high-privilege IAM resources, including iam:CreatePolicy, iam:AttachRolePolicy, and organizations:CreatePolicy (documented in SKILL.md).
Sanitization: Policy documents and function metadata are processed as raw strings or JSON without sanitization, allowing potential injection strings in resource names or policy statements to influence agent behavior.
[COMMAND_EXECUTION]: The skill defines several command-line operations using the aws CLI and a custom Python script.
Evidence: The workflow in SKILL.md includes commands for listing functions, auditing policies, and applying security boundaries (aws lambda list-functions, aws iam put-role-permissions-boundary).
Context: These commands are the primary intended function of the skill for cloud security auditing and remediation. They target well-known AWS services and do not involve suspicious execution patterns like piping remote content into a shell.

securing-aws-lambda-execution-roles