iam-temp-delegation-review
Pass
Audited by Gen Agent Trust Hub on Jul 8, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches AWS Service Authorization Reference (SAR) data from
https://servicereference.us-east-1.amazonaws.com/. This is an official AWS domain. The implementation insrc/iam_delegation_review/sar_lib/_feed.pyincludes a validation utility (_validate_feed_url) that strictly allowlists the*.amazonaws.comsuffix and enforces HTTPS. - [COMMAND_EXECUTION]: The skill uses standard AWS CLI and Python commands for environment setup and execution (e.g.,
pip install,aws sts get-caller-identity). These are necessary for its documented purpose and target a controlled environment (virtualenv). - [DATA_EXFILTRATION]: No evidence of unauthorized data exfiltration. Network activity is limited to official AWS endpoints (Access Analyzer and the SAR feed). Local state is managed within a
registry/directory with path validation (_validate_path_component) to prevent directory traversal. - [PROMPT_INJECTION]: The skill uses detailed instructional documents (
procedure-reviewer.mdandprocedure-verifier.md) to guide the agent. It emphasizes grounding analysis in authoritativesar_context.jsondata, which mitigates risks associated with processing potentially untrusted IAM policy documents. - [SAFE]: The code follows professional software engineering practices, including schema validation for its configuration files, use of locks for concurrent network access, and a clear multi-stage pipeline with deterministic gates.
Audit Metadata