bedrock-engineer

Universal AI Agent using Amazon Bedrock, capable of customize to create/edit files, execute commands, search the web, use knowledge base, use multi-agents, generative images and more.

aws-samplesfilesystemTypeScriptMIT-0
GitHub
0Tools
8Findings
467Stars
Mar 22, 2026Last Scanned
3 critical · 3 high · 2 low findings detected

Security Category Deep Dive

Prompt Injection
Prompt & context manipulation attacks
69
Maturity
14
Rules
5
Sub-Categories
1
Gaps
64%
Implemented
56
Tests
1
Stories
PI-DIRDirect Input Injection
100%3 rules
Injection via tool descriptions and parameter fields
GAP-001Prompt Injection Coverage GapMissing detection coverage for emerging prompt injection attack variants not addressed by current rules
PI-INDIndirect / Gateway Injection
100%4 rules
Hidden instructions via external content and tool responses
PI-CTXContext Manipulation
100%2 rules
Context window saturation and prior-approval exploitation
PI-ENCEncoding & Obfuscation
100%3 rules
Payload hiding via invisible chars, base64, schema fields
PI-TPLTemplate & Output Poisoning
100%2 rules
Injection via prompt templates and runtime tool output
Framework Coverage
OWASP MCP Top 1014/14
MITRE ATLAS14/14
CoSAI MCP2/14
OWASP Agentic Top 1012/14
Kill Chain Phases
0Initial Access
0Defense Evasion
0Execution
0Persistence

Findings8

3critical
3high
2low

Critical3

criticalQ6Agent Identity Impersonation via MCPMCP05-privilege-escalationAML.T0054
Pattern "(?:execute|run|perform).*(?:as|on[_\s]?behalf[_\s]?of|with[_\s]?privileges[_\s]?of).*(?:agent|role)" matched in source_code: "execute commands, search the web, use knowledge base, use multi-agent" (at position 212)
MCP tools in multi-agent systems must verify agent identity cryptographically — never accept agent_id/agent_role as plain string parameters. Use cryptographic attestation (signed tokens, mTLS certificates, or capability tokens) for inter-agent communication. Implement the principle of least privilege: each agent should only be able to claim its own identity. Reference: OWASP ASI03, arXiv 2602.19555.
criticalQ13MCP Bridge Package Supply Chain AttackMCP10-supply-chainAML.T0054
Pattern "["']@modelcontextprotocol/sdk["']\s*:\s*["'](?:\^|~|\*|latest)" matched in source_code: ""@modelcontextprotocol/sdk": "^" (at position 2337)
MCP bridge packages (mcp-remote, mcp-proxy, @modelcontextprotocol/sdk, fastmcp) are high-value supply chain targets — CVE-2025-6514 (CVSS 9.6) in mcp-remote affected 437,000+ installs. Always pin exact versions (no ^ or ~ ranges). Use lockfiles (package-lock.json, pnpm-lock.yaml, uv.lock). Never run `npx mcp-remote` without version pinning. Verify package integrity with `npm audit` or `pip-audit` before deployment. Reference: CVE-2025-6514, OWASP ASI04.
criticalK5Auto-Approve / Bypass Confirmation PatternMCP06-excessive-permissionsAML.T0054
Pattern "\-\-(yes|force|no-confirm|no-prompt|assume-yes)\b" matched in source_code: "--force" (at position 1540)
Never auto-approve or bypass human confirmation for operations with side effects. Implement explicit confirmation gates that cannot be programmatically bypassed. If batch/CI mode is needed, require an explicit opt-in flag with audit logging. Required by EU AI Act Art. 14 (human oversight) and OWASP ASI09.

High3

highK19Missing Runtime Sandbox EnforcementMCP07-insecure-configAML.T0054
Pattern "(run[_\s-]?as[_\s-]?root|EUID.*0|uid.*0)(?!.*(?:drop|setuid|seteuid|change.?user))" matched in source_code: "uid": "^13.0.0" (at position 3446)
Run MCP servers in sandboxed containers with: (1) No --privileged flag, (2) Minimal Linux capabilities (drop ALL, add only needed), (3) Read-only root filesystem, (4) Non-root user, (5) Seccomp/AppArmor profiles enabled, (6) No host mounts except data volumes. CoSAI warns containers alone are insufficient — add seccomp profiles. Required by CoSAI MCP-T8 and ISO 27001 A.8.22.
highK15Multi-Agent Collusion PreconditionsMCP05-privilege-escalationAML.T0054
Pattern "(agent|delegate|orchestrat).*(?:invoke|call|execute|spawn)(?!.*(?:rate[_\s-]?limit|throttle|quota|max[_\s-]?concurrent|semaphore))" matched in source_code: "agent apps using Amazon Bedrock, capable of customize to create/edit files, execute" (at position 136)
Implement collusion-resistant multi-agent architecture: (1) Verify agent identity cryptographically before accepting commands, (2) Apply ACLs to shared write surfaces, (3) Rate-limit cross-agent invocations, (4) Audit all inter-agent communication with timestamps and agent IDs, (5) Baseline normal interaction patterns for anomaly detection. Required by MAESTRO L7 and CoSAI MCP-T9.
highD1Known CVEs in DependenciesMCP08-dependency-vuln
Dependency "mermaid@11.4.0" has known CVEs:
Update dependencies to versions that patch known CVEs. Run 'npm audit fix' or 'pip-audit' to identify and resolve vulnerable dependencies.

Low2

lowF4MCP Spec Non-ComplianceMCP07-insecure-config
Server fails MCP spec compliance checks: required:server_name; required:server_version; required:protocol_version; recommended:tool_descriptions; recommended:parameter_descriptions
Follow the MCP specification for server metadata. Include server name, version, and protocol version. Provide descriptions for all tools and parameters.
lowD4Excessive Dependency CountMCP08-dependency-vuln
Server has 90 dependencies (threshold: 50)
Reduce the number of direct dependencies. Each dependency increases the attack surface. Consider whether lighter alternatives exist.