diff-scanning-with-aws-security-agent

Pass

Audited by Gen Agent Trust Hub on Jun 18, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • Command Execution: The skill uses standard system utilities including git to identify code changes, zip to package the workspace, and aws CLI to interact with cloud services. These commands are used as intended for security scanning workflows.
  • Data Management and Transfer: The project's source code is packaged into a temporary archive and uploaded to an Amazon S3 bucket within the user's account (s3://security-agent-scans-<account>-<region>). While the skill excludes many common metadata and build folders (like .git and node_modules), users should be aware that files in the root directory not explicitly excluded will be included in the upload for analysis.
  • Resource Identification: The skill executes aws sts get-caller-identity to resolve the AWS Account ID, which is used to construct resource ARNs and bucket names specific to the user's environment.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 18, 2026, 07:17 AM
Security Audit — agent-trust-hub — diff-scanning-with-aws-security-agent