cost-governance

Pass

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • [SAFE]: The skill is designed for AWS cost management and demonstrates high security maturity by providing educational warnings about potential vulnerabilities.\n- [DYNAMIC_EXECUTION]: The skill processes user-defined logic strings (e.g., 'when' conditions for budget rules). It implements a secure evaluation pattern using the simpleeval library, which creates a restricted AST sandbox. This prevents arbitrary code execution by disabling built-in functions, imports, and attribute access.\n- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute aws ce get-cost-and-usage. This is a legitimate use of the AWS CLI to fetch Cost Explorer data necessary for its primary governance function.\n- [EXTERNAL_DOWNLOADS]: The skill references MCP servers from the awslabs GitHub organization and pricing data from anthropic.com. These are well-known, trusted technology entities, and the references are consistent with the skill's purpose.\n- [REMOTE_CODE_EXECUTION]: A YARA signature for sensitive file exfiltration via curl was triggered by text in SKILL.md. Technical analysis confirms this is a false positive; the snippet is contained within a 'Bad Example' block explicitly labeled '절대 하지 말 것' (Never Do This). The functional code of the skill explicitly avoids this pattern and uses a safe alternative.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 16, 2026, 09:15 AM
Security Audit — agent-trust-hub — cost-governance