aurora-dsql

Pass

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [Secure Authentication Architecture]: The skill exclusively uses IAM-based authentication via the AWS CLI (aws dsql generate-db-connect-auth-token). Tokens are short-lived (15 minutes) and managed in memory, which is a standard security practice for AWS services.
  • [Proactive SQL Injection Prevention]: Includes a dedicated Python utility (scripts/safe_query.py) that uses allow-lists, regex validation, and dollar-quoting to construct SQL. The skill instructions mandate the use of this helper for any dynamic query construction, providing a strong defense against SQL injection attacks.
  • [Local Command Execution]: The skill utilizes several local shell scripts (scripts/*.sh) to wrap AWS CLI commands and psql sessions. These scripts are used for cluster management and database connectivity, which is consistent with the skill's stated purpose of database administration.
  • [Encryption and Transport Security]: Database connections default to sslmode=verify-full, ensuring encrypted transit and server identity verification. While a --skip-cert-verify flag exists for troubleshooting, it includes a clear warning that it is vulnerable to MITM and should not be used in production.
  • [Principle of Least Privilege]: The documentation (references/access-control.md) strongly emphasizes the use of scoped database roles over the 'admin' role for application workloads, aligning with industry security standards for access management.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 30, 2026, 12:56 PM
Security Audit — agent-trust-hub — aurora-dsql