Security Audit

cognito

github.com/itsmostafa/aws-agent-skills

AI SkillCommit e9e01ada13b6

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

cognito received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Client Secret Exposure in Client-Side Examples.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 11, 2026 (commit e9e01ada). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

85%

Behavioral Risk Signals

Excessive Permissions

1 finding

Security Findings1

Severity	Finding	Layer	Location
HIGH	Potential Client Secret Exposure in Client-Side Examples The Python code examples for `sign_up`, `confirm_sign_up`, and `authenticate_user` demonstrate the use of a `SecretHash` which is computed using a `client_secret`. The `create-user-pool-client` example explicitly uses `--generate-secret`, indicating a confidential client. If these Python examples are intended for client-side applications (e.g., web or mobile frontends), exposing the `client_secret` to compute the `SecretHash` client-side directly contradicts the 'Never expose client secrets in frontend code' best practice mentioned later in the document. This pattern could lead to the exposure of sensitive `client_secret` credentials, allowing unauthorized access to the Cognito User Pool client. Clarify that if a `client_secret` is generated for a User Pool client (making it a confidential client), the `SecretHash` must be computed server-side. For public clients (e.g., SPAs, mobile apps), a `client_secret` should not be generated, and thus `SecretHash` is not used. The examples should be updated to reflect this distinction, either by removing the `client_secret` from client-side examples or explicitly stating that the code is for a confidential client and should run server-side.	LLM	SKILL.md:79

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/5a5073b0433a46c5.svg)](https://skillshield.io/report/5a5073b0433a46c5)