Security Audit

cognito

github.com/itsmostafa/aws-agent-skills

AI SkillCommit e9e01ada13b6

TRUSTED

Scanned 9 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

cognito received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Client Secret Exposure in Client-Side Examples.

The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 11, 2026 (commit e9e01ada). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Excessive Permissions

1 finding

Security Findings1

Severity	Finding	Layer	Location
HIGH	Potential Client Secret Exposure in Client-Side Examples The Python code examples for `sign_up`, `confirm_sign_up`, and `authenticate_user` demonstrate the use of a `SecretHash` which is computed using a `client_secret`. The `create-user-pool-client` example explicitly uses `--generate-secret`, indicating a confidential client. If these Python examples are intended for client-side applications (e.g., web or mobile frontends), exposing the `client_secret` to compute the `SecretHash` client-side directly contradicts the 'Never expose client secrets in frontend code' best practice mentioned later in the document. This pattern could lead to the exposure of sensitive `client_secret` credentials, allowing unauthorized access to the Cognito User Pool client. Clarify that if a `client_secret` is generated for a User Pool client (making it a confidential client), the `SecretHash` must be computed server-side. For public clients (e.g., SPAs, mobile apps), a `client_secret` should not be generated, and thus `SecretHash` is not used. The examples should be updated to reflect this distinction, either by removing the `client_secret` from client-side examples or explicitly stating that the code is for a confidential client and should run server-side.	Unknown	SKILL.md:79

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/5a5073b0433a46c5.svg)](https://skillshield.io/report/5a5073b0433a46c5)