cloud

Cloud exploitation lane — AWS IAM privesc, S3 takeover, k8s RBAC abuse, Terraform state leaks, cloud metadata pivoting.

Best for Cloud penetration testingWorks with GitHubHigh risk

#aws #iam #s3 #kubernetes #terraform #security #pentesting #cloud-security #privilege-escalation #enumeration

⌘source

author: @PurpleAILAB
repo: PurpleAILAB/Decepticon
language: Python

✦overview.md

Key Features

·Enumerates AWS IAM policies for privilege escalation paths
·Identifies and exploits dangling S3 buckets for subdomain takeover
·Audits Kubernetes RBAC configurations for pod escape and hostPath abuse
·Scans exposed Terraform state files for sensitive cloud infrastructure data
·Leverages SSRF vulnerabilities to pivot through cloud metadata services
·Maps discovered vulnerabilities into attack chains for visualization

Use Cases

→Security teams conducting authorized penetration tests on cloud environments
→Red team operators simulating attacker post-exploitation in AWS or Kubernetes
→DevOps engineers proactively auditing their own infrastructure for misconfigurations
→Incident responders investigating potential cloud account compromises

Best for

✓Cloud penetration testing
✓Red team operations
✓Security audits

Not ideal for

!General cloud administration
!Development workflows
!Non-security use cases

FAQs

skills/cloud/SKILL.md

name

cloud-overview

description

Cloud exploitation lane — AWS IAM privesc, S3 takeover, k8s RBAC abuse, Terraform state leaks, cloud metadata pivoting.

Cloud Hunter Skill Catalog

Playbooks

Skill	Use for
`/skills/cloud/aws-iam-enum/SKILL.md`	IAM enumeration + privesc
`/skills/cloud/s3-takeover/SKILL.md`	Dangling bucket / subdomain takeover
`/skills/cloud/k8s-pivot/SKILL.md`	Pod escape, RBAC abuse, hostPath
`/skills/cloud/terraform-state-leak/SKILL.md`	Exposed state file exploitation
`/skills/cloud/imds-pivot/SKILL.md`	SSRF → metadata → IAM role

Workflow (authenticated engagement)

bash("aws sts get-caller-identity")
bash("aws iam list-attached-user-policies --user-name <me>")
For each attached policy: fetch JSON and iam_policy_audit
Feed Terraform state via bash("aws s3 cp s3://bucket/terraform.tfstate -") → tfstate_audit
bash("kubectl get pods -A -o json") → k8s_audit
Every privesc primitive → kg_add_node + chain edges

Workflow (post-SSRF)

metadata_endpoints("aws") for the target cloud
Pivot URL one at a time via the SSRF vector
Confirmed creds → credential node + leaks edge from the SSRF vuln
plan_attack_chains(promote=True) to see the full path

$install

1-click copy

npx skills add PurpleAILAB/Decepticon --skill cloud

Safety assessment

★

Clarity score

How clear and easy to understand the SKILL.md instructions are, rated from 1 to 5.

4/ 5

very good

Clear and well structured, with only minor parts that might need a second read.

◎

Actionability score

How directly an agent can act on the SKILL.md instructions, rated from 1 to 5.

4/ 5

high

Mostly actionable with clear steps; only a few small gaps remain.

~community cookbook

~you might also like

view all →

gitnexus-pr-review

★28k

code-review#pull-request

[✓]from @abhigyanpatwari

[✓]

Use when the user wants to review a pull request, understand what a PR changes, assess risk of merging, or check for...

April 18, 2026

◧ Compare

triage

★2.1k

security#binary

[✓]from @PurpleAILAB

[✓]

Fast-path binary triage — identify format/arch/mitigations, grab high-signal strings and imports in under a minute.

April 18, 2026

◧ Compare

reporting

★2.1k

security#report

[✓]from @PurpleAILAB

[✓]

Post-exploitation finding documentation — credential access, privilege escalation, lateral movement reports, detectio...

April 18, 2026

◧ Compare

ssrf-to-rce

★2.1k

security#ssrf

[✓]from @PurpleAILAB

[✓]

Build and validate SSRF pivot chains toward metadata/infra control and final code execution impact.

⚠ danger

April 18, 2026

◧ Compare

c2-sliver

★2.1k

security#c2

[✓]from @PurpleAILAB

[✓]

Sliver C2 framework operations — server connection, listener setup, implant generation, BOF/Armory extensions, post-i...

⚠ danger

April 18, 2026

◧ Compare

reporting

★2.1k

security#report

[✓]from @PurpleAILAB

[✓]

Exploitation finding documentation — initial access reports, exploit chain documentation, CVSS v4.

April 18, 2026

◧ Compare

Cloud Hunter Skill Catalog

Playbooks

Skill

Use for

/skills/cloud/aws-iam-enum/SKILL.md

IAM enumeration + privesc

/skills/cloud/s3-takeover/SKILL.md

Dangling bucket / subdomain takeover

/skills/cloud/k8s-pivot/SKILL.md

Pod escape, RBAC abuse, hostPath

/skills/cloud/terraform-state-leak/SKILL.md

Exposed state file exploitation

/skills/cloud/imds-pivot/SKILL.md

SSRF → metadata → IAM role

Workflow (authenticated engagement)

bash("aws sts get-caller-identity")

bash("aws iam list-attached-user-policies --user-name <me>")

For each attached policy: fetch JSON and iam_policy_audit

Feed Terraform state via bash("aws s3 cp s3://bucket/terraform.tfstate -") → tfstate_audit

bash("kubectl get pods -A -o json") → k8s_audit

Every privesc primitive → kg_add_node + chain edges

Workflow (post-SSRF)

metadata_endpoints("aws") for the target cloud

Pivot URL one at a time via the SSRF vector

Confirmed creds → credential node + leaks edge from the SSRF vuln

plan_attack_chains(promote=True) to see the full path

cloud

Key Features

Use Cases

Best for

Not ideal for

FAQs

What cloud providers does this skill support?

Does this require existing access to the target cloud?

Is this for defensive or offensive security?

Cloud Hunter Skill Catalog

Playbooks

Workflow (authenticated engagement)

Workflow (post-SSRF)

Safety assessment

Clarity score

Actionability score

~community cookbook

~you might also like

gitnexus-pr-review

triage

reporting

ssrf-to-rce

c2-sliver

reporting

AI Skill Finder

cloud

Key Features

Use Cases

Best for

Not ideal for

FAQs

What cloud providers does this skill support?

Does this require existing access to the target cloud?

Is this for defensive or offensive security?

Cloud Hunter Skill Catalog

Playbooks

Workflow (authenticated engagement)

Workflow (post-SSRF)

Safety assessment

Clarity score

Actionability score

~community cookbook

~you might also like

gitnexus-pr-review

triage

reporting

ssrf-to-rce

c2-sliver

reporting