agentcore-pricing
Warn
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill uses the
exec(open(script).read())pattern to execute code from a local Python script path that is determined dynamically based on environment variables (e.g.,~/.quickwork/skills/bedrock-pricing/scripts/bedrock_pricing.py). Executing the contents of a file at runtime viaexecis a risky practice as it can lead to arbitrary code execution if an attacker manages to modify the target script file. - [COMMAND_EXECUTION]: The skill's documentation instructs the user to execute shell commands, such as
python3 ... --refresh, to maintain local data files. This relies on the security of external scripts and encourages the execution of potentially unverified code in the user's shell environment. - [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it processes external pricing data from a JSON file (
~/bedrock_pricing_agentcore.json) and incorporates it into agent calculations without clear boundary markers or sanitization logic. - Ingestion points:
~/bedrock_pricing_agentcore.json(referenced in SKILL.md) - Boundary markers: None identified in the workflow instructions
- Capability inventory:
execandopenoperations (used in SKILL.md to load logic) - Sanitization: No validation or sanitization of the JSON input is described
Audit Metadata