corgiro
Pass
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: The skill includes a dedicated 'Prompt Injection Defense (T3)' section in
SKILL.md. This section correctly identifies AWS resource metadata (tags, names, descriptions) as untrusted, attacker-controlled input and establishes mandatory rules for the agent to treat this data only as content to be reported, never as instructions to be executed. - [DATA_EXFILTRATION]: The skill implements a robust credential protection model. The
corgiro-readonly-role.yamlCloudFormation template includes aDenySensitiveDataPlaneReadspolicy that explicitly blocks access to high-value data such as Secrets Manager secrets, SSM parameters, and S3 object contents, effectively preventing bulk data exfiltration even if the read-only role is compromised. Additionally,references/credential-resolution.mdincludes checks for disk encryption (FileVault/LUKS) before accessing local state files. - [DATA_EXFILTRATION]: The skill fetches AWS version lifecycle information from official AWS documentation domains (
docs.aws.amazon.com). These network operations are strictly limited to well-known, trusted sources and are used for data collection rather than code execution. - [COMMAND_EXECUTION]: The skill generates self-contained HTML reports. To prevent cross-site scripting (XSS) attacks from malicious AWS resource metadata, the skill mandates HTML-entity escaping and truncation for all resource-derived strings before they are inserted into report templates.
- [COMMAND_EXECUTION]: The
mode-buildermode allows for the creation of new automation scripts. This is protected by a validation workflow that restricts allowed AWS CLI commands to read-only verbs (describe-*,list-*,get-*) and performs a leak scan for internal tokens or identifiers.
Audit Metadata