aws-iam-policy-analysis

SUSPICIOUS. The skill’s core purpose is coherent as AWS policy/security analysis, but it crosses into offensive security enablement for an AI agent and explicitly references webhook.site, a known exfiltration endpoint. Official AWS tooling is low concern, yet the combination of exploit guidance, external target fetching, ambient AWS credential use, and optional third-party tools makes the overall skill high risk even without confirmed malware.

This fragment is high-risk because it provides executable-style guidance for cloud account enumeration and policy-based probing: it programmatically sets up IAM access, uses STS AssumeRole with dynamically crafted session policies, and repeatedly calls S3 GetObject while using AWS error responses as an oracle to infer a target bucket’s owning AWS account ID. While it does not show stealth/persistence/data-theft payloads, it is directly weaponizable for offensive reconnaissance against AWS resources, making it inappropriate for benign dependencies.

This fragment is highly indicative of malicious intent: it is an actionable AWS exploitation guide demonstrating how to bypass Lambda/API Gateway protections (via permissive Lambda `Principal: *` and API Gateway schema-validation evasion through `Content-Type`) and how to hijack SNS notifications by creating an attacker-controlled HTTPS subscription endpoint that satisfies weak policy conditions. It includes realistic code examples and external webhook interception, making it suitable for unauthorized execution and notification capture in misconfigured environments. Treat as high-risk security-abusive content, not benign library code.