remediating-with-aws-security-agent
Pass
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- Sensitive Data Handling: The skill processes AWS Security Agent findings, which may contain sensitive exploit scripts or reproduction steps. To mitigate potential exposure, it enforces storage in a gitignored local directory (
.security-agent/) and limits the amount of detail shared in chat sessions to high-level summaries.\n- Command Execution: This skill utilizes theawsCLI to interact with AWS Security Agent services. These operations include listing agent spaces, pentests, and code reviews, as well as fetching finding summaries and details. This behavior is consistent with the skill's intended purpose for managing AWS security resources.\n- Automated Remediation Surface: The skill is designed to apply code fixes based on remediation suggestions from the Security Agent. It uses a structured triage process and requires explicit user confirmation before applying any changes through the editor tool.\n- Environment Awareness: The skill executesgit remote -vand reads standard project manifests (such aspackage.jsonorpyproject.toml) to identify the local application context. This information is used solely to match the repository with its corresponding security scan in the AWS account.\n- Indirect Instruction Processing (Vulnerability Surface): This skill ingests findings from external AWS APIs. While these sources are managed, the agent is instructed to summarize these findings for the user. (Ingestion: AWS Security Agent API; Boundary Markers: Explicit instructions to keep sensitive details out of chat; Capability Inventory: File creation, editor modifications, shell execution via AWS CLI; Sanitization: Confidence-based filtering of results).
Audit Metadata