sdlc-agents-provision-aws

Warn

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill extracts values from .sdlc-agents/selection.yaml and .dispatch/agents.yaml using yq and interpolates them directly into shell commands (e.g., gh variable set, aws iam create-role, cat > /tmp/deploy-trust.json). This pattern is vulnerable to command injection if these configuration files are modified to contain malicious shell payloads.
  • [PROMPT_INJECTION]: The skill exhibits an Indirect Prompt Injection surface. It ingests untrusted data from selection.yaml (Ingestion point) without any boundary markers or sanitization logic. This data is interpolated into critical security configurations, such as IAM trust policies and GitHub Actions secrets. The skill possesses extensive capabilities (Capability inventory), including IAM role creation, policy attachment, and repository secret management via the aws and gh CLIs.
  • [COMMAND_EXECUTION]: The skill explicitly instructs the agent to attach the AdministratorAccess managed policy to the deployment role. While noted as a convenience for demos, granting full administrative privileges via an automated agent script represents a significant security risk and violates the principle of least privilege.
  • [COMMAND_EXECUTION]: The skill manages GitHub OIDC providers and IAM trust policies. If the GH_OWNER or GH_REPO variables are manipulated in the local configuration files, it could lead to the creation of trust relationships that allow unauthorized external repositories to assume the deployment role and access the AWS account.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 16, 2026, 04:19 PM
Security Audit — agent-trust-hub — sdlc-agents-provision-aws