The Agent Skills Directory

[COMMAND_EXECUTION]: The skill contains a large number of shell commands for the AWS CLI used to enumerate, exploit, and modify cloud resources. This includes commands to delete or disable security logging mechanisms, such as 'aws cloudtrail delete-trail', to hide activity.
[DATA_EXFILTRATION]: Provides specific procedures for exfiltrating sensitive data from S3 buckets using 'aws s3 sync' and harvesting data from EC2 instances by snapshotting and mounting EBS volumes to attacker-controlled systems.
[REMOTE_CODE_EXECUTION]: Instructs the agent on how to backdoor AWS Lambda functions by injecting Python code to escalate privileges or exfiltrate environment variables. It also details the use of AWS Systems Manager (SSM) to execute arbitrary commands on EC2 instances.
[EXTERNAL_DOWNLOADS]: Fetches several security auditing and exploitation tools (Pacu, enumerate-iam, aws_consoler, cloudmapper, etc.) from external GitHub repositories. These tools originate from well-known security research organizations.
[CREDENTIALS_UNSAFE]: Explains how to extract temporary AWS credentials from the EC2 Instance Metadata Service (IMDSv1 and IMDSv2) and Fargate container metadata endpoints. It also includes instructions for converting CLI access keys into console sign-in URLs.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it processes untrusted data from the target AWS environment (such as resource names, tags, or S3 object metadata) and interpolates this data into CLI commands and decision-making logic without sanitization.
Ingestion points: Outputs from enumeration commands like 'aws iam list-users' and 'aws s3 ls'.
Boundary markers: None.
Capability inventory: Significant capabilities including file system writes, network operations, and code modification via 'lambda update-function-code'.
Sanitization: No sanitization or validation of external resource metadata is described.

aws-penetration-testing