aws-penetration-testing

Block requests to cloud metadata endpoints (169.254.169.254, metadata.google.internal). Implement URL validation that rejects private IP ranges and cloud metadata addresses.

Likely FP if the match is in documentation explaining cloud security concepts or SSRF prevention rather than actual code making metadata requests.

Remove directives that attempt to exfiltrate data through the agent's response (e.g., asking the agent to embed credentials in URLs or include secret values in output).

Likely FP if the text is a legitimate tool instruction about displaying configuration to the user (e.g., show current settings) without external transmission.

Block access to cloud instance metadata services using IMDSv2 token requirements, network rules, or iptables. This is a critical vector for credential theft in cloud environments.

Likely FP if the match is in security documentation explaining how to protect against SSRF/IMDS attacks rather than code that accesses the metadata service.

Block requests to internal service discovery endpoints (consul, etcd, kubernetes API). Implement network segmentation between the agent and internal infrastructure services.

Likely FP if the match is documentation about service discovery architecture without actual code that queries these endpoints.

Block access to cloud instance metadata services using IMDSv2 token requirements, network rules, or iptables. This is a critical vector for credential theft in cloud environments.

Likely FP if the match is in security documentation explaining how to protect against SSRF/IMDS attacks rather than code that accesses the metadata service.

Block requests to internal service discovery endpoints (consul, etcd, kubernetes API). Implement network segmentation between the agent and internal infrastructure services.

Likely FP if the match is documentation about service discovery architecture without actual code that queries these endpoints.

Block requests to internal service discovery endpoints (consul, etcd, kubernetes API). Implement network segmentation between the agent and internal infrastructure services.

Likely FP if the match is documentation about service discovery architecture without actual code that queries these endpoints.

Block requests to internal service discovery endpoints (consul, etcd, kubernetes API). Implement network segmentation between the agent and internal infrastructure services.

Likely FP if the match is documentation about service discovery architecture without actual code that queries these endpoints.

Block requests to internal service discovery endpoints (consul, etcd, kubernetes API). Implement network segmentation between the agent and internal infrastructure services.

Likely FP if the match is documentation about service discovery architecture without actual code that queries these endpoints.

Block requests to internal service discovery endpoints (consul, etcd, kubernetes API). Implement network segmentation between the agent and internal infrastructure services.

Likely FP if the match is documentation about service discovery architecture without actual code that queries these endpoints.

Block access to cloud instance metadata services using IMDSv2 token requirements, network rules, or iptables. This is a critical vector for credential theft in cloud environments.

Likely FP if the match is in security documentation explaining how to protect against SSRF/IMDS attacks rather than code that accesses the metadata service.

Block requests to cloud metadata endpoints (169.254.169.254, metadata.google.internal). Implement URL validation that rejects private IP ranges and cloud metadata addresses.

Likely FP if the match is in documentation explaining cloud security concepts or SSRF prevention rather than actual code making metadata requests.

Block access to cloud instance metadata services using IMDSv2 token requirements, network rules, or iptables. This is a critical vector for credential theft in cloud environments.

Likely FP if the match is in security documentation explaining how to protect against SSRF/IMDS attacks rather than code that accesses the metadata service.

Block requests to internal service discovery endpoints (consul, etcd, kubernetes API). Implement network segmentation between the agent and internal infrastructure services.

Likely FP if the match is documentation about service discovery architecture without actual code that queries these endpoints.

Block requests to internal service discovery endpoints (consul, etcd, kubernetes API). Implement network segmentation between the agent and internal infrastructure services.

Likely FP if the match is documentation about service discovery architecture without actual code that queries these endpoints.

Block access to cloud instance metadata services using IMDSv2 token requirements, network rules, or iptables. This is a critical vector for credential theft in cloud environments.

Likely FP if the match is in security documentation explaining how to protect against SSRF/IMDS attacks rather than code that accesses the metadata service.

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.