The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The skill grants the agent extensive access to the AWS CLI, including aws bedrock *, aws s3 *, and aws secretsmanager *. This allows for powerful operations like resource deletion, secret retrieval, and data modification, which can be catastrophic if the agent is manipulated by an attacker.
PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) due to its core functionality.
Ingestion points: The skill reads OpenAPI schemas from S3 buckets and local environment files (e.g., .env.production).
Boundary markers: There are no boundary markers or instructions to ignore embedded commands within these external files.
Capability inventory: The skill possesses high-privilege write and execute capabilities across multiple AWS services.
Sanitization: No evidence of sanitization or validation of the content within the ingested schemas or environment files was found before they are used to drive CLI operations.
CREDENTIALS_UNSAFE (LOW): While documentation correctly uses placeholders like 'YOUR_API_KEY', the script services/gateway/deploy-template.sh uses export $(cat $ENV_FILE | xargs). This pattern can lead to credential exposure if the agent's environment or execution logs are captured.

aws-agentic-ai