sdlc-agents-provision-aws
Warn
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill extracts values from
.sdlc-agents/selection.yamland.dispatch/agents.yamlusingyqand interpolates them directly into shell commands (e.g.,gh variable set,aws iam create-role,cat > /tmp/deploy-trust.json). This pattern is vulnerable to command injection if these configuration files are modified to contain malicious shell payloads. - [PROMPT_INJECTION]: The skill exhibits an Indirect Prompt Injection surface. It ingests untrusted data from
selection.yaml(Ingestion point) without any boundary markers or sanitization logic. This data is interpolated into critical security configurations, such as IAM trust policies and GitHub Actions secrets. The skill possesses extensive capabilities (Capability inventory), including IAM role creation, policy attachment, and repository secret management via theawsandghCLIs. - [COMMAND_EXECUTION]: The skill explicitly instructs the agent to attach the
AdministratorAccessmanaged policy to the deployment role. While noted as a convenience for demos, granting full administrative privileges via an automated agent script represents a significant security risk and violates the principle of least privilege. - [COMMAND_EXECUTION]: The skill manages GitHub OIDC providers and IAM trust policies. If the
GH_OWNERorGH_REPOvariables are manipulated in the local configuration files, it could lead to the creation of trust relationships that allow unauthorized external repositories to assume the deployment role and access the AWS account.
Audit Metadata