AWS SDK

Enables direct interaction with AWS services through the AWS SDK v2, allowing users to query environments, manage resources, and analyze cloud infrastructure using credential management and sandboxed JavaScript execution.

cloud-infra
GitHub
0Tools
8Findings
6Stars
Mar 22, 2026Last Scanned
3 critical · 4 high · 1 low findings detected

Security Category Deep Dive

Prompt Injection
Prompt & context manipulation attacks
69
Maturity
14
Rules
5
Sub-Categories
1
Gaps
64%
Implemented
56
Tests
1
Stories
PI-DIRDirect Input Injection
100%3 rules
Injection via tool descriptions and parameter fields
GAP-001Prompt Injection Coverage GapMissing detection coverage for emerging prompt injection attack variants not addressed by current rules
PI-INDIndirect / Gateway Injection
100%4 rules
Hidden instructions via external content and tool responses
PI-CTXContext Manipulation
100%2 rules
Context window saturation and prior-approval exploitation
PI-ENCEncoding & Obfuscation
100%3 rules
Payload hiding via invisible chars, base64, schema fields
PI-TPLTemplate & Output Poisoning
100%2 rules
Injection via prompt templates and runtime tool output
Framework Coverage
OWASP MCP Top 1014/14
MITRE ATLAS14/14
CoSAI MCP2/14
OWASP Agentic Top 1012/14
Kill Chain Phases
0Initial Access
0Defense Evasion
0Execution
0Persistence

Findings8

3critical
4high
1low

Critical3

criticalC1Command InjectionMCP03-command-injectionAML.T0054
Pattern "`[^`]+`" matched in source_code: "`Your job is to answer questions about AWS environment by writing Javascript code using AWS SDK V2. The code must be adhering to a few rules: - Must be preferring promises over callbacks - Think step-by-step before writing the code, approach it logically - MUST written in Javascript (NodeJS) using AWS-SDK V2 - Avoid hardcoded values like ARNs - Code written should be as parallel as possible enabling the fastest and the most optimal execution - Code should be handling errors gracefully, especially when doing multiple SDK calls (e.g. when mapping over an array). Each error should be handled and logged with a reason, script should continue to run despite errors - DO NOT require or import "aws-sdk", it is already available as "AWS" variable - Access to 3rd party libraries apart from "aws-sdk" is not allowed or possible - Data returned from AWS-SDK must be returned as JSON containing only the minimal amount of data that is needed to answer the question. All extra data must be filtered out - Code MUST "return" a value: string, number, boolean or JSON object. If code does not return anything, it will be considered as FAILED - Whenever tool/function call fails, retry it 3 times before giving up with an improved version of the code based on the returned feedback - When listing resources, ensure pagination is handled correctly so that all resources are returned - Do not include any comments in the code - When doing reduce, don't forget to provide an initial value - Try to write code that returns as few data as possible to answer without any additional processing required after the code is run - This tool can ONLY write code that interacts with AWS. It CANNOT generate charts, tables, graphs, etc. Please use artifacts for that instead Be concise, professional and to the point. Do not give generic advice, always reply with detailed & contextual data sourced from the current AWS environment. Assume user always wants to proceed, do not ask for confirmation. I'll tip you $200 if you do this right.`" (at position 623)
Replace exec()/execSync() with execFile() and pass arguments as an array, never as a string. Validate all inputs against an allowlist before use in any shell context. For subprocess.run, always pass a list and shell=False.
criticalK8Cross-Boundary Credential SharingMCP05-privilege-escalationAML.T0054
Pattern "(return|respond|output|result).*(?:token|credential|api[_\s-]?key|secret|password|bearer)" matched in source_code: "return resolve(credentials.roleCredential" (at position 9782)
Never forward, share, or embed credentials across trust boundaries. Use OAuth token exchange (RFC 8693) to create scoped, delegated tokens instead of passing original credentials. Never include credentials in tool responses. Required by ISO 27001 A.5.17 and OWASP ASI03.
criticalQ13MCP Bridge Package Supply Chain AttackMCP10-supply-chainAML.T0054
Pattern "["']@modelcontextprotocol/sdk["']\s*:\s*["'](?:\^|~|\*|latest)" matched in source_code: ""@modelcontextprotocol/sdk": "^" (at position 11585)
MCP bridge packages (mcp-remote, mcp-proxy, @modelcontextprotocol/sdk, fastmcp) are high-value supply chain targets — CVE-2025-6514 (CVSS 9.6) in mcp-remote affected 437,000+ installs. Always pin exact versions (no ^ or ~ ranges). Use lockfiles (package-lock.json, pnpm-lock.yaml, uv.lock). Never run `npx mcp-remote` without version pinning. Verify package integrity with `npm audit` or `pip-audit` before deployment. Reference: CVE-2025-6514, OWASP ASI04.

High4

highK16Unbounded Recursion / Missing Depth LimitsMCP07-insecure-configAML.T0054
Pattern "(invoke|call|execute)[_\s-]?(?:tool|agent|self)(?!.*(?:depth|level|limit|max[_\s-]?(?:depth|recursi|iter|call)|count))" matched in source_code: "CallTool" (at position 356)
Add explicit depth/recursion limits to all recursive operations. Use iterative approaches where possible. Set maximum depth for directory walking (max_depth=10), tree traversal (max_level=20), and agent re-invocation (max_calls=5). Implement circuit breakers that halt after N iterations. Required by EU AI Act Art. 15 (robustness) and OWASP ASI08.
highQ12Cross-Jurisdiction Data Routing via MCPMCP04-data-exfiltrationT1020
Pattern "(?:region|jurisdiction|country|geo).*(?:route|proxy|forward|redirect|select|choose)" matched in source_code: "region: select" (at position 5802)
MCP servers that handle personal or sensitive data must: (1) declare the geographic regions where data is processed in tool descriptions, (2) never route data to third-country backends without GDPR adequacy decisions or Standard Contractual Clauses, (3) log all cross-border data transfers with source/destination jurisdiction for audit, (4) implement data residency enforcement that rejects requests violating localization requirements. Reference: EU AI Act Art. 12, GDPR Art. 44-49.
highD1Known CVEs in DependenciesMCP08-dependency-vuln
Dependency "@modelcontextprotocol/sdk@1.0.3" has known CVEs:
Update dependencies to versions that patch known CVEs. Run 'npm audit fix' or 'pip-audit' to identify and resolve vulnerable dependencies.
highD1Known CVEs in DependenciesMCP08-dependency-vuln
Dependency "aws-sdk@2.1692.0" has known CVEs:
Update dependencies to versions that patch known CVEs. Run 'npm audit fix' or 'pip-audit' to identify and resolve vulnerable dependencies.

Low1

lowF4MCP Spec Non-ComplianceMCP07-insecure-config
Server fails MCP spec compliance checks: required:server_name; required:server_version; required:protocol_version; recommended:tool_descriptions; recommended:parameter_descriptions
Follow the MCP specification for server metadata. Include server name, version, and protocol version. Provide descriptions for all tools and parameters.