aws-sst-development

Pass

Audited by Gen Agent Trust Hub on Jun 15, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill implements a security hook that automatically verifies the current AWS account identity (aws sts get-caller-identity) before sensitive tools like sst deploy are executed, reducing the risk of accidental deployment to incorrect environments.
  • [SAFE]: Instructional content provides high-quality security guidance, explicitly directing the use of sst.Secret for credentials and providing warnings against echoing secrets into logs or plaintext SSM parameters.
  • [SAFE]: The skill follows secure infrastructure-as-code patterns, such as mandating the use of $interpolate for Pulumi outputs to prevent malformed policy documents and ensuring stage-gated resource protection to prevent accidental deletion of production assets.
  • [SAFE]: Operational guidelines include clear instructions for state hygiene, specifically directing the deletion of temporary state files (/tmp/state.json) because they contain sensitive account and resource identifiers.
  • [SAFE]: External dependencies and tools are standard for the development workflow (npm, pnpm, aws-cli, sst) and are used for their primary intended purposes without suspicious side effects.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 15, 2026, 02:02 PM
Security Audit — agent-trust-hub — aws-sst-development