agentcore-pricing

Warn

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill uses the exec(open(script).read()) pattern to execute code from a local Python script path that is determined dynamically based on environment variables (e.g., ~/.quickwork/skills/bedrock-pricing/scripts/bedrock_pricing.py). Executing the contents of a file at runtime via exec is a risky practice as it can lead to arbitrary code execution if an attacker manages to modify the target script file.
  • [COMMAND_EXECUTION]: The skill's documentation instructs the user to execute shell commands, such as python3 ... --refresh, to maintain local data files. This relies on the security of external scripts and encourages the execution of potentially unverified code in the user's shell environment.
  • [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it processes external pricing data from a JSON file (~/bedrock_pricing_agentcore.json) and incorporates it into agent calculations without clear boundary markers or sanitization logic.
  • Ingestion points: ~/bedrock_pricing_agentcore.json (referenced in SKILL.md)
  • Boundary markers: None identified in the workflow instructions
  • Capability inventory: exec and open operations (used in SKILL.md to load logic)
  • Sanitization: No validation or sanitization of the JSON input is described
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 23, 2026, 02:34 AM
Security Audit — agent-trust-hub — agentcore-pricing