enumerating-cloud-with-cloudfox
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The
scripts/agent.pyscript executes thecloudfoxbinary usingsubprocess.run(). The implementation is secure as it passes arguments as a list rather than a single shell string, effectively preventing shell injection vulnerabilities. - [EXTERNAL_DOWNLOADS]: The skill provides instructions to install the
cloudfoxtool from Bishop Fox's official GitHub repository (github.com/BishopFox/cloudfox). Bishop Fox is a well-known and reputable organization in the cybersecurity community, and the installation source is considered trusted. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection because it ingests and summarizes data from external cloud environments (e.g., resource names, tags) that could be controlled by an adversary. However, the current implementation only prints summaries and counts rather than feeding the raw content into an automated execution loop, making the risk negligible in this context.
Audit Metadata