s3-user-files

Pass

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill defines several administrative tools (read.js, write.js, list.js, delete.js, presign.js) that are executed via Node.js to manage S3 objects.
  • [EXTERNAL_DOWNLOADS]: The skill utilizes official AWS SDK packages (@aws-sdk/client-s3 and @aws-sdk/s3-request-presigner) to interact with AWS services. These are well-known, versioned dependencies from a trusted organization.
  • [DATA_EXFILTRATION]: While the skill performs network operations to AWS S3, it is designed for persistent storage. It employs strict isolation using a {user_id}/{filename} prefix strategy. Access is guarded by a restrictive regex in common.js that ensures the user_id matches expected platform namespaces (Telegram, Slack, Discord, WhatsApp), preventing unauthorized access to arbitrary S3 prefixes.
  • [PROMPT_INJECTION]: The skill processes untrusted data by reading file contents from S3 (read.js) and providing them to the agent context. This establishes an indirect prompt injection surface.
  • Ingestion points: Data enters the context via read.js and list.js.
  • Boundary markers: The instructions do not specify explicit delimiters for the retrieved content.
  • Capability inventory: The skill can read/write files and generate presigned URLs for external downloads.
  • Sanitization: Filenames and user IDs are heavily sanitized and validated, though the file content itself is treated as raw text.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 16, 2026, 09:22 AM
Security Audit — agent-trust-hub — s3-user-files