querying-aws-cloudwatch

Pass

Audited by Gen Agent Trust Hub on Jun 17, 2026

Risk Level: SAFE
Full Analysis
  • [Data Processing Surface]: The skill is designed to analyze AWS log data, such as VPC Flow logs and WAF logs. Since these logs capture external activity, they represent a potential surface for indirect prompt injection if the agent were to process the data without caution. The documentation responsibly identifies this by noting that log data should be treated as sensitive.
  • [IAM and Permission Management]: The skill guides users through setting up the necessary IAM roles and Lake Formation permissions. It incorporates security best practices by recommending the use of aws:SourceAccount and aws:SourceArn condition keys in trust policies to protect against confused deputy attacks.
  • [Authorized Command Execution]: The skill utilizes official AWS CLI commands and Amazon Athena SQL syntax to perform its tasks. These operations are restricted to the environment's configured AWS credentials and occur within the user's controlled cloud infrastructure.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 17, 2026, 09:12 PM
Security Audit — agent-trust-hub — querying-aws-cloudwatch