skills/aws-samples/sample-host-openclaw-on-amazon-bedrock-agentcore/s3-user-files/Gen Agent Trust Hub
s3-user-files
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill defines several administrative tools (
read.js,write.js,list.js,delete.js,presign.js) that are executed via Node.js to manage S3 objects. - [EXTERNAL_DOWNLOADS]: The skill utilizes official AWS SDK packages (
@aws-sdk/client-s3and@aws-sdk/s3-request-presigner) to interact with AWS services. These are well-known, versioned dependencies from a trusted organization. - [DATA_EXFILTRATION]: While the skill performs network operations to AWS S3, it is designed for persistent storage. It employs strict isolation using a
{user_id}/{filename}prefix strategy. Access is guarded by a restrictive regex incommon.jsthat ensures theuser_idmatches expected platform namespaces (Telegram, Slack, Discord, WhatsApp), preventing unauthorized access to arbitrary S3 prefixes. - [PROMPT_INJECTION]: The skill processes untrusted data by reading file contents from S3 (
read.js) and providing them to the agent context. This establishes an indirect prompt injection surface. - Ingestion points: Data enters the context via
read.jsandlist.js. - Boundary markers: The instructions do not specify explicit delimiters for the retrieved content.
- Capability inventory: The skill can read/write files and generate presigned URLs for external downloads.
- Sanitization: Filenames and user IDs are heavily sanitized and validated, though the file content itself is treated as raw text.
Audit Metadata