aws-cloud-ops
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/main.cjsexecutes theawsCLI binary usingchild_process.spawn. Although it usesshell: falseto prevent shell-level injection, it passes agent-provided arguments directly to the system. This allows the agent to execute any AWS command supported by the installed CLI and the user's current IAM permissions, bypassing the 'Read-Only' or 'Limited' scopes suggested in the documentation. - [EXTERNAL_DOWNLOADS]: The
SKILL.mdfile provides instructions to download the AWS CLI v2 from official Amazon domains (aws.amazon.com and awscli.amazonaws.com). These are recognized as trusted sources. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it allows the agent to ingest untrusted data from external AWS services. \n
- Ingestion points: Data is retrieved from CloudWatch logs and S3 buckets via
aws logsandaws s3commands executed inscripts/main.cjs. \n - Boundary markers: None are implemented to distinguish between retrieved data and agent instructions. \n
- Capability inventory: The agent can execute a wide range of AWS operations via the subprocess spawn in
scripts/main.cjs, including resource modification or deletion. \n - Sanitization: There is no evidence of content filtering or validation for data pulled from external AWS resources before it is presented to the agent model.
Audit Metadata