aurora-dsql
Pass
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Secure Authentication Architecture]: The skill exclusively uses IAM-based authentication via the AWS CLI (
aws dsql generate-db-connect-auth-token). Tokens are short-lived (15 minutes) and managed in memory, which is a standard security practice for AWS services. - [Proactive SQL Injection Prevention]: Includes a dedicated Python utility (
scripts/safe_query.py) that uses allow-lists, regex validation, and dollar-quoting to construct SQL. The skill instructions mandate the use of this helper for any dynamic query construction, providing a strong defense against SQL injection attacks. - [Local Command Execution]: The skill utilizes several local shell scripts (
scripts/*.sh) to wrap AWS CLI commands andpsqlsessions. These scripts are used for cluster management and database connectivity, which is consistent with the skill's stated purpose of database administration. - [Encryption and Transport Security]: Database connections default to
sslmode=verify-full, ensuring encrypted transit and server identity verification. While a--skip-cert-verifyflag exists for troubleshooting, it includes a clear warning that it is vulnerable to MITM and should not be used in production. - [Principle of Least Privilege]: The documentation (
references/access-control.md) strongly emphasizes the use of scoped database roles over the 'admin' role for application workloads, aligning with industry security standards for access management.
Audit Metadata