agent-bom-discover-aws

Discover AWS-hosted AI agent and MCP-relevant assets from the operator's environment, emit canonical agent-bom inventory JSON, and scan it without giving agent-bom long-lived cloud credentials. Use when a user asks to inventory AWS Bedrock, ECS, SageMaker, Lambda, EKS, Step Functions, EC2, or agentic AWS infrastructure as canonical inventory. Passing that inventory to agent-bom is optional and operator-chosen.

10 stars

Best use case

agent-bom-discover-aws is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Discover AWS-hosted AI agent and MCP-relevant assets from the operator's environment, emit canonical agent-bom inventory JSON, and scan it without giving agent-bom long-lived cloud credentials. Use when a user asks to inventory AWS Bedrock, ECS, SageMaker, Lambda, EKS, Step Functions, EC2, or agentic AWS infrastructure as canonical inventory. Passing that inventory to agent-bom is optional and operator-chosen.

Teams using agent-bom-discover-aws should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/discover-aws/SKILL.md --create-dirs "https://raw.githubusercontent.com/msaad00/agent-bom/main/integrations/openclaw/discover-aws/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/discover-aws/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How agent-bom-discover-aws Compares

Feature / Agentagent-bom-discover-awsStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Discover AWS-hosted AI agent and MCP-relevant assets from the operator's environment, emit canonical agent-bom inventory JSON, and scan it without giving agent-bom long-lived cloud credentials. Use when a user asks to inventory AWS Bedrock, ECS, SageMaker, Lambda, EKS, Step Functions, EC2, or agentic AWS infrastructure as canonical inventory. Passing that inventory to agent-bom is optional and operator-chosen.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# agent-bom-discover-aws

Use this skill to collect AWS AI and workload inventory from the operator's
environment as canonical inventory. The skill is discover-only by default:
write schema-valid JSON to an operator-selected path and stop. Run
`agent-bom` only when the operator explicitly wants findings, graph, policy,
or exports from that inventory.

## Guardrails

- Use only operator-approved AWS profiles, roles, or short-lived STS sessions.
- Prefer read-only IAM actions listed by `agent-bom trust` or
  `/v1/discovery/providers`.
- Do not request or display raw `AWS_ACCESS_KEY_ID`,
  `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, or bearer tokens.
- Do not modify AWS resources. This workflow is discovery-only.
- Write inventory only to a path the operator chose.
- Treat AI-generated prose as non-authoritative; only the schema-validated
  inventory JSON is evidence.

## Modes

| Mode | What happens | Data boundary |
|------|--------------|---------------|
| `discover-only` | Emit canonical inventory JSON and stop | No agent-bom scan or API handoff |
| `scan-local` | Run `agent-bom agents --inventory ...` on the generated file | Local handoff into the scanner |
| `export` | Write JSON/SARIF or another operator-selected output | Local output only unless the operator routes it elsewhere |

Use `discover-only` unless the operator asks for scan results or an export.

## Workflow

1. Confirm the AWS account/region/profile and intended services.
2. Generate inventory with the repository adapter and stop:

```bash
python examples/operator_pull/aws_inventory_adapter.py \
  --region us-east-1 \
  --profile readonly-audit \
  --source aws-skill-invoked \
  --discovery-method skill_invoked_pull \
  --output aws-inventory.json
```

3. If the operator asks for findings, scan the generated inventory locally:

```bash
agent-bom agents --inventory aws-inventory.json
```

4. If the operator asks for an export, write it to an operator-selected path:

```bash
agent-bom agents --inventory aws-inventory.json --format json --output agent-bom-aws-findings.json
```

## Optional Service Flags

Start narrow, then expand deliberately:

```bash
python examples/operator_pull/aws_inventory_adapter.py \
  --region us-east-1 \
  --profile readonly-audit \
  --source aws-skill-invoked \
  --discovery-method skill_invoked_pull \
  --include-ecs \
  --include-lambda \
  --include-eks \
  --output aws-inventory.json
```

Use `--no-include-ecs` or similar flags to disable default services when an
operator wants a smaller scope.

## Evidence Contract

The inventory emitted by this skill uses:

- `source: aws-skill-invoked`
- `discovery_provenance.source_type: skill_invoked_pull`
- `discovery_provenance.observed_via: skill_invoked_pull, aws_sdk`
- sanitized `metadata.permissions_used`
- sanitized `cloud_origin`, `cloud_principal`, lifecycle fields, packages, and
  MCP server launch metadata

If schema validation fails, stop and fix the inventory instead of scanning a
best-effort or prose summary.

The skill does not push inventory to an API by default. Any push, scan, or
managed control-plane handoff must be a separate operator-approved handoff
command with the destination URL, auth method, and retained evidence classes
made explicit.

Related Skills

agent-bom-discover

10
from msaad00/agent-bom

Discover AI agents, MCP servers, and configurations on this machine or environment. Use when: "find agents", "what's configured", "doctor", "what MCP servers", "show me what's installed", "mcp inventory".

agent-bom-discover-snowflake

10
from msaad00/agent-bom

Discover Snowflake Cortex, Snowpark, notebook, Streamlit, MCP, and AI-observability assets from the operator's environment, emit canonical agent-bom inventory JSON, and scan it without giving agent-bom long-lived Snowflake credentials. Use when a user asks to inventory Snowflake AI or Cortex infrastructure as canonical inventory.

agent-bom-discover-gcp

10
from msaad00/agent-bom

Discover GCP-hosted AI agent and MCP-relevant assets from the operator's environment, emit canonical agent-bom inventory JSON, and scan it without giving agent-bom long-lived GCP credentials. Use when a user asks to inventory Vertex AI, Cloud Run, Cloud Functions, GKE, or agentic GCP infrastructure as canonical inventory.

agent-bom-discover-azure

10
from msaad00/agent-bom

Discover Azure-hosted AI agent and MCP-relevant assets from the operator's environment, emit canonical agent-bom inventory JSON, and scan it without giving agent-bom long-lived Azure credentials. Use when a user asks to inventory Azure OpenAI, Container Apps, AKS, Functions, ML, or agentic Azure infrastructure as canonical inventory.

missing-guardrail-fixture

10
from msaad00/agent-bom

Fixture that intentionally omits the capability guardrail contract.

agent-bom-vulnerability-intel

10
from msaad00/agent-bom

Use agent-bom to check package, SBOM, inventory, and agent dependency exposure against OSV, GitHub Security Advisories, NVD, EPSS, and CISA KEV with explicit data-boundary choices. Use when a user asks for CVE lookup, advisory intelligence, exploitability context, fix versions, GHSA/OSV/NVD enrichment, or package vulnerability triage.

agent-bom-troubleshoot

10
from msaad00/agent-bom

Diagnose issues, check prerequisites, and validate configurations. Use when: "doctor", "debug", "why failing", "validate config", "check prerequisites", "something is broken", "db status", "fix my setup".

agent-bom-scan

10
from msaad00/agent-bom

Open security scanner for agentic infrastructure — agents, MCP, packages, blast radius, runtime, and trust for package CVEs (OSV, NVD, EPSS, KEV), container images, provenance, filesystems, and SBOMs. Use when: "check package", "scan image", "verify", "is this safe", "scan dependencies", "CVE lookup", "blast radius".

agent-bom-scan-infra

10
from msaad00/agent-bom

Scan infrastructure-as-code, cloud configurations, and find secrets. Use when: "check terraform", "scan kubernetes", "IaC", "find secrets", "scan dockerfile", "cloud security", "misconfigurations".

agent-bom-runtime

10
from msaad00/agent-bom

AI runtime security monitoring — context graph analysis, runtime audit log correlation with CVE findings, and vulnerability analytics queries. Use when the user mentions runtime monitoring, context graphs, lateral movement analysis, audit log correlation, or vulnerability analytics.

agent-bom-registry

10
from msaad00/agent-bom

MCP server security registry and trust assessment — look up servers in the 427+ server security metadata registry, run pre-install marketplace checks, batch fleet risk scoring, assess skill file trust, and run SAST code scans. Use when the user mentions MCP server trust, registry lookup, marketplace check, or skill trust assessment.

agent-bom-monitor

10
from msaad00/agent-bom

Monitor agent fleet, track trust scores, and manage lifecycle states. Use when: "fleet", "watch agents", "runtime status", "trust scores", "fleet sync", "agent lifecycle", "serve dashboard".