pikkujs/pikku-aws
packages/cli/skills/pikku-aws/SKILL.md
Use when setting up AWS services (S3, SQS, Secrets Manager) in a Pikku app. Covers S3Content for file storage, SQSQueueService for queues, and AWSSecrets for secret management. TRIGGER when: code uses S3Content, SQSQueueService, AWSSecrets, or user asks about AWS integration, S3 uploads, SQS queues, or AWS Secrets Manager with Pikku. DO NOT TRIGGER when: user asks about AWS Lambda runtime (use pikku-deploy-lambda).
$ install --global
skillsauthnpx skillsauth add pikkujs/pikku pikku-awsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 6:04 AM307.4s1 file scanned
SKILL.md
- name:
- pikku-aws
- description:
- Use when setting up AWS services (S3, SQS, Secrets Manager) in a Pikku app. Covers S3Content for file storage, SQSQueueService for queues, and AWSSecrets for secret management.
- TRIGGER when:
- code uses S3Content, SQSQueueService, AWSSecrets, or user asks about AWS integration, S3 uploads, SQS queues, or AWS Secrets Manager with Pikku.
- DO NOT TRIGGER when:
- user asks about AWS Lambda runtime (use pikku-deploy-lambda).
Pikku AWS Services
Agent Operating Procedure
Use this skill as an execution checklist, not reference material.
- Discover before editing. Prefer OpenCode tools such as
pikku-metawhen available; otherwise run the relevantpikku meta ... --jsoncommand and inspect only the focused output you need. - Identify the source files that own the behavior. Do not start by reading generated output,
.pikku,node_modules, vendored packages, or broad build artifacts. - Make the smallest source change that satisfies the task. Keep generated files generated, and avoid hand-editing SDKs, schema output, or typegen.
- Validate with the narrowest relevant command first, then run
pikku-verifyorpikku allwhen functions, wirings, schemas, or generated clients may have changed. - If validation fails, fix the source cause and rerun validation. Do not paper over generated errors by editing generated files.
@pikku/aws-services provides AWS-backed implementations of Pikku's content, queue, and secret service interfaces.
Installation
yarn add @pikku/aws-services
API Reference
S3Content (File Storage)
import { S3Content } from '@pikku/aws-services'
const content = new S3Content(
config: S3ContentConfig,
logger: Logger,
signConfig: { keyPairId: string; privateKey: string }
)
Methods:
signURL(url: string, dateLessThan: Date, dateGreaterThan?: Date): Promise<string>— Sign a CloudFront URLsignContentKey(key: string, dateLessThan: Date, dateGreaterThan?: Date): Promise<string>— Sign a content keygetUploadURL(Key: string, ContentType: string): Promise<{ uploadUrl, assetKey }>— Get presigned upload URLreadFile(Key: string): Promise<ReadableStream>— Read file as streamreadFileAsBuffer(Key: string): Promise<Buffer>— Read file as bufferwriteFile(Key: string, stream: ReadableStream): Promise<boolean>— Write file from streamcopyFile(Key: string, fromAbsolutePath: string): Promise<boolean>— Copy local file to S3deleteFile(Key: string): Promise<boolean>— Delete file
SQSQueueService (Queue)
import { SQSQueueService } from '@pikku/aws-services'
const queue = new SQSQueueService(config: SQSQueueServiceConfig)
Implements QueueService. Note: supportsResults = false — job status tracking is not supported.
Methods:
add<T>(queueName: string, data: T, options?: JobOptions): Promise<string>— Enqueue a message
AWSSecrets (Secrets Manager)
import { AWSSecrets } from '@pikku/aws-services'
const secrets = new AWSSecrets(config: AWSConfig)
Methods:
getSecret<R>(SecretId: string): Promise<R>— Get a secret valuegetSecretJSON<R>(SecretId: string): Promise<R>— Get and parse a JSON secrethasSecret(SecretId: string): Promise<boolean>— Check if secret exists
Usage Patterns
S3 Content Service
const createSingletonServices = pikkuServices(async (config) => {
const logger = new PinoLogger()
const content = new S3Content(
{ bucket: config.s3Bucket, region: config.awsRegion },
logger,
{ keyPairId: config.cfKeyPairId, privateKey: config.cfPrivateKey }
)
return { config, logger, content }
})
SQS Queue
const createSingletonServices = pikkuServices(async (config) => {
const queue = new SQSQueueService({
region: config.awsRegion,
queueUrlPrefix: config.sqsUrlPrefix,
})
return { config, queue }
})
Related Skills
pikkujs/pikku-tag-middleware
documentation
VerifiedTrustedCommunity
Deprecated — use pikku-middleware instead. Tag middleware (addTagMiddleware) is now documented as a section within the pikku-middleware skill, alongside global HTTP middleware, execution order, and the service-to-service bearer auth pattern.
56SKILL.mdUpdated Jun 10, 2026
pikkujs/pikku-permissions
testing
VerifiedTrustedCommunity
Use when adding authorization checks to Pikku functions or routes — pikkuPermission, pikkuAuth, per-function permissions, pattern-based permissions, or understanding OR/AND permission logic. TRIGGER when: user wants to restrict who can call a function, check resource ownership, add role-based access, or understand where permission checks belong. DO NOT TRIGGER when: user asks about middleware or request interception (use pikku-middleware), authentication strategies (use pikku-security), or session management.
56SKILL.mdUpdated Jun 10, 2026
pikkujs/pikku-middleware
testing
VerifiedTrustedCommunity
Use when adding any middleware to a Pikku app — global HTTP middleware, tag-scoped middleware (including service-to-service bearer auth), per-route middleware, session-setting middleware, or understanding middleware execution order and priority. TRIGGER when: user wants middleware on some or all routes, machine-to-machine auth, tag-scoped cross-cutting concerns, global interceptors, or middleware priority/order questions. DO NOT TRIGGER when: user asks about permissions/authorization checks (use pikku-permissions), auth strategies like authBearer/authCookie (use pikku-security), or deployment.
56SKILL.mdUpdated Jun 10, 2026
pikkujs/pikku-template-clone
documentation
VerifiedTrustedCommunity
Standard cleanup to run right after a Pikku template is cloned or scaffolded into a new project. TRIGGER when: a Pikku template was just cloned/scaffolded (via `pikku create`, `git clone <template>`, or the user says "I cloned the kanban template / starter / template"), or the working tree still looks like an untouched template (template README, placeholder `@project/*` name in package.json). DO NOT TRIGGER when: working in an established project mid-feature, or editing the template repo itself.
56SKILL.mdUpdated Jun 4, 2026