diff-scanning-with-aws-security-agent
Pass
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Command Execution: The skill uses standard system utilities including
gitto identify code changes,zipto package the workspace, andawsCLI to interact with cloud services. These commands are used as intended for security scanning workflows. - Data Management and Transfer: The project's source code is packaged into a temporary archive and uploaded to an Amazon S3 bucket within the user's account (
s3://security-agent-scans-<account>-<region>). While the skill excludes many common metadata and build folders (like.gitandnode_modules), users should be aware that files in the root directory not explicitly excluded will be included in the upload for analysis. - Resource Identification: The skill executes
aws sts get-caller-identityto resolve the AWS Account ID, which is used to construct resource ARNs and bucket names specific to the user's environment.
Audit Metadata